Speaking at the Gartner Security & Risk Management Summit in Sydney, Deepti Gopal, Director Analyst at Gartner, said, “As we start moving beyond what’s possible with Gen AI, solid opportunities are emerging to help solve a number of perennial issues plaguing cyber security, particularly the skills shortage and unsecure human behaviour. The scope of the top predictions this year is clearly not on technology, as the human element continues to gain far more attention. Any CISO looking to build an effective and sustainable cyber security programme must make this a priority.”

Gartner recommends that cyber security leaders build a series of strategic planning assumptions into their security strategies for the next two years, including the following:

• By 2028, the adoption of GenAI will collapse the skills gap, removing the need for specialised education from 50% of entry-level cyber security positions. Gen AI augments will change how organisations hire and teach cyber security workers looking for the right aptitude, as much as the right education. Mainstream platforms already offer conversational augments, but will evolve. Gartner recommends cyber security teams focus on internal use cases that support users as they work; coordinate with HR partners; and identify adjacent talent for more critical cyber security roles.

• By 2026, enterprises combining Gen AI with an integrated platforms-based architecture in security behaviour and culture programmes (SBCP) will experience 40% fewer employee-driven cyber security incidents. Organisations are increasingly focused on personalised engagement as an essential component of an effective SBCP. Gen AI has the potential to generate hyperpersonalised content and training materials that take into context an employee’s unique attributes. According to Gartner, this will increase the likelihood of employees adopting more secure behaviours in their day-to-day work, resulting in fewer cyber security incidents.

“Organisations that haven’t yet embraced Gen AI capabilities should evaluate their current external security awareness partner to understand how it is leveraging Gen AI as part of its solution roadmap,” said Gopal.

• Through 2026, 75% of organisations will exclude unmanaged, legacy, and cyber-physical systems from their zero trust strategies. Under a zero trust strategy, users and endpoints receive only the access needed to do their jobs and are continuously monitored based on evolving threats. In production or mission-critical environments, these concepts do not universally translate for unmanaged devices, legacy applications and cyber-physical systems (CPS) engineered to perform specific tasks in unique safety and reliability-centric environments.

• By 2027, two-thirds of global 100 organisations will extend directors and officers (D&O) insurance to cyber security leaders due to personal legal exposure. New laws and regulations — such as the SEC’s cyber security disclosure and reporting rules — expose cyber security leaders to personal liability. The roles and responsibilities of the CISO need to be updated for associated reporting and disclosures. Gartner recommends organisations explore the benefits of covering the role with D&O insurance, as well as other insurance and compensation, to mitigate personal liability, professional risk and legal expenses.

• By 2028, enterprise spend on battling malinformation will surpass $500 billion, cannibalising 50% of marketing and cyber security budgets. The combination of AI, analytics, behavioural science, social media, Internet of Things and other technologies enable bad actors to create and spread highly effective, mass-customised malinformation (or misinformation). Gartner recommends CISOs define the responsibilities for governing, devising and executing enterprise-wide anti-malinformation programmes, and invest in tools and techniques that combat the issue using chaos engineering to test resilience.

• Through 2026, 40% of identity and access management (IAM) leaders will take over the primary responsibility for detecting and responding to IAM-related breaches. IAM leaders often struggle to articulate security and business value to drive accurate investment and are not involved in security resourcing and budgeting discussions. As IAM leaders continue to grow in importance, they will evolve in different directions, each with increased responsibility, visibility and influence. Gartner recommends CISOs break traditional IT and security silos by giving stakeholders visibility into the role IAM plays by aligning the IAM programme and security initiatives.

• By 2027, 70% of organisations will combine data loss prevention and insider risk management disciplines with IAM context to identify suspicious behaviour more effectively. Increased interest in consolidated controls has prompted vendors to develop capabilities that represent an overlap between user behaviour focused controls and data loss prevention. This introduces a more comprehensive set of capabilities for security teams to create a single policy for dual use in data security and insider risk mitigation. Gartner recommends organisations identify data risk and identity risk, and use them in tandem as the primary directive for strategic data security.

• By 2027, 30% of cyber security functions will redesign application security to be consumed directly by non-cyber experts and owned by application owners. The volume, variety and context of applications that business technologists and distributed delivery teams create means potential for exposures well beyond what dedicated application security teams can handle.

“To bridge the gap, cyber security functions must build minimum effective expertise in these teams, using a combination of technology and training to generate only as much competence as is required to make cyber risk informed decisions autonomously,” said Gopal.