Senior director analyst at Gartner Richard Addiscott said that this could help leaders in a variety of ways.

“A human-centred approach to cyber security is essential to reduce security failures,” he said.

“Focusing on people in control design and implementation, as well as through business communications and cyber security talent management, will help to improve business-risk decisions and cyber security staff retention.”

There are three key domains Gartner said SRM leaders should be focused on: the essential role of people for security program success and sustainability; technical security capabilities that provide greater visibility and responsiveness across the organisation’s digital ecosystem; and restructuring the way the security function operates to enable agility without compromising security.

And according to research from Gartner, there are nine trends that will have a massive impact on SRM leaders across those three key domains.

Human-centric security design

Human-centric security design means that the role of employee experience across the controls management life cycle is a top priority. By 2027, 50 per cent of large enterprise chief information security officers (CISOs) will have adopted human-centric security design practices to minimise cyber security-induced friction and maximise control adoption.

VIEW ALL

“Traditional security awareness programs have failed to reduce unsecure employee behaviour,” Mr Addiscott said.

“CISOs must review past cyber security incidents to identify major sources of cyber security-induced friction and determine where they can ease the burden for employees through more human-centric controls or retire controls that add friction without meaningfully reducing risk.”

Enhancing people management for security program sustainability

By 2026, the firm predicted that 60 per cent of organisations would shift from external hiring to “quiet hiring” from internal talent markets to address systemic cyber security and recruitment challenges.

As previously reported by Lawyers Weekly, quiet hiring is a phenomenon that sees employers moving employees into different jobs and different departments instead of hiring new staff — and it is all about saving costs.

While cyber security leaders have traditionally focused on improving technology and processes that support their programs, CISOs who take a human-centric talent management approach to attract and retain talent have seen improvements in their functional and technical maturity, according to Gartner.

Transforming the cyber security operating model to support value creation

A Gartner survey found that 41 per cent of employees perform some kind of technology work, a trend that is expected to continue growing over the next five years — and one that further proves that technology is now moving from central IT functions to lines of business, corporate functions, fusion teams and individual employees.

“Business leaders now widely accept that cyber security risk is a top business risk to manage — not a technology problem to solve,” Mr Addiscott quipped.

“Supporting and accelerating business outcomes is a core cyber security priority, yet remains a top challenge.”

Threat exposure management

Gartner urged CISOs to evolve their assessment practices to understand their exposure to threats by implementing continuous threat exposure management (CTEM) programs. By 2026, the firm predicted, organisations prioritising their security investments based on a CTEM program will suffer two-thirds fewer breaches.

“CISOs must continually refine their threat assessment practices to keep up with their organisation’s evolving work practices, using a CTEM approach to evaluate more than just technology vulnerabilities,” Mr Addiscott noted.

Identity fabric immunity

Fragile identity infrastructure is caused by incomplete, misconfigured or vulnerable elements in the identity fabric. By 2027, identity fabric immunity principles will prevent 85 per cent of new attacks and thereby reduce the financial impact of breaches by 80 per cent, the Gartner research showed.    

“Identity fabric immunity not only protects the existing and new IAM components in the fabric with identity threat and detection response (ITDR), but it also fortifies it by completing and properly,” Mr Addiscott added.

Cyber security validation

Cyber security validation brings together the techniques, processes and tools used to validate how potential attackers exploit an identified threat exposure. The tools required for cyber security validation are making significant progress in automating repeatable and predictable aspects of assessments, enabling regular benchmarks of attack techniques, security controls and processes.

According to Gartner, through 2026, more than 40 per cent of organisations, including two-thirds of midsize enterprises, will rely on consolidated platforms to run cyber security validation assessments.

Cyber security platform consolidation

As organisations look to simplify operations, vendors are consolidating platforms around one or more major cyber security domains.

For example, identity security services may be offered through a common platform that combines governance, privileged access and access management features. Therefore, SRM leaders need to continuously inventory security controls to understand where overlaps exist and reduce the redundancy through consolidated platforms, Gartner said.

Composable businesses need composable security

Composable security is an approach where cyber security controls are integrated into architectural patterns and then applied at a modular level in composable technology implementations. Gartner noted that by 2027, more than 50 per cent of core business applications would be built using composable architecture, requiring a new approach to securing those applications. 

“Composable security is designed to protect composable business,” Mr Addiscott confirmed.

“The creation of applications with composable components introduces undiscovered dependencies. For CISOs, this is a significant opportunity to embed privacy and security by design by creating component-based, reusable security control objects.”

Boards expand their competency in cyber security oversight

The board’s increased focus on cyber security is being driven by the trend towards explicit-level accountability for cyber security to include enhanced responsibilities for board members in their governance activities. Cyber security leaders must provide boards with reporting that demonstrates the impact of cyber security programs on the organisation’s goals and objectives.

“SRMs leaders must encourage active board participation and engagement in cyber security decision making,” Mr Addiscott concluded.

“Act as a strategic advisor, providing recommendations for actions to be taken by the board, including allocation of budgets and resources for security.”