The last decade shaped today's cybersecurity — the next decade will amplify it.
Gartner's 2020 CIO survey found cybersecurity edging out AI and RPA deployment. Investments in cybersecurity were either a reaction to the pandemic, a cyberattack or just playing catch-up from historically underinvesting.
Regardless of the reason, opportunities lie ahead for "fit and fragile organizations," said Toby Bussa, VP analyst at Gartner, while speaking at the Gartner IT Symposium/Xpo Americas in October.
Now it's up to CISOs to capitalize on opportunities. Looking into the next decade of cyber, CISOs have to answer:
- What factors that are controllable and are they still controllable in the future?
- What "mega trends" are out of the CISO's control?
- What influence can the CISO have as a leader?
"What you can influence might be risk treatment, it might be the organizational risk appetite, you might be able to influence the budget," said Bussa. But out of the CISO's control are technology trends, threats, regulations and pandemics.
While the nature of cyber and threats force security professionals "to live in the moment," the CISO who can perform today while keeping an eye on tomorrow is the best fit for the next decade of cyber. Without futurist tendencies, CISOs are doomed to stay reactive, which diminishes their ability to lead.
"It's okay to be a futurist. And when it's the appropriate time, leaders should be thinking about the future," said Bussa. The security standards of 2010 — upheld largely by firewalls and antivirus software — and the solutions needed today can't just defend what's in the moment.
Since 2010, security solutions have embraced the cloud, AI, and more consumer-like technologies. Attackers matured through nation states and ransomware shifted its consumer focus for the enterprise.
The security organization will confront some new functions in the decade ahead: cyber judgement, cyber-physical, cyber resilience, and cyber safety. While some of the terms are unfamiliar now, Bussa recommends security practitioners get used to them. "I do think it's important to emphasize though that cybersecurity cannot be just about technologies that the security risk management teams are using or the technologies that they've been entrusted to secure by the business," Bussa said.
Because of the disconnect between where cybersecurity responsibility is shared and where technologies pick it up, CISOs can inherit the "chief information scapegoat officer" reputation, said Bussa. The next 10 years will require an accountability shift in organizations.
"This will be an evolutionary change as cybersecurity becomes more entwined," said Bussa.
Staring down 2030
As the industry enters into the next decade, CISOs have risk, resiliency, trust and safety on their plates. But in each element, their role will become more of an advisor, said Bussa. The change in the CISO role coincides with the evolving digital landscape, inadvertently creating two classes of enterprise: the digital nationalists and the digital globalists.
Digital nationalists "fear [the] loss of national sovereignty," whereas digital globalists say national sovereignty is over, they want to share data, according to Gartner. "This coalescing around these narratives is a combination of cultural wars, political imperatives and shared histories that create a broader context for technology," said Bussa.
Influencing the "balkanization" of the digital preferences is the cloud and internet. Researchers expect four versions of the internet to unfold, including the open internet, bourgeois internet, authoritarian internet and commercial internet. Some of this "splintering" is already seen in countries where internet searches are filtered or when regulations like GDPR took effect.
But the cloud will also experience balkanization. "We may actually see cloud environments that are purpose-built to address regional and nation state requirements," said Bussa. International governments will start to more heavily "challenge the dominance of cloud infrastructure and platform services." Companies might also favor technologies native to their own countries.
With international regulation and emerging technologies challenging the status quo, security leaders are grappling with further distrust. While Gartner predicted half of information security spending would be "fragmented along geopolitical lines" in 2012, the assumption has not yet been realized.
"It becomes a force that cybersecurity leaders are going to have to contend with, especially if those leaders are operating in leading organizations to have global operations," said Bussa.