Top Security and Risk Trends for 2021

By Kasey Panetta, Gartner, Inc.

Cybersecurity mesh, security-savvy boards of directors, and remote working all made this year’s security and risk trends. As cybersecurity and regulatory compliance become the top two biggest concerns of corporate boards, some are adding cybersecurity experts specifically to scrutinise security and risk issues. 

Adding a cybersecurity expert directly to the board is just one of the eight Gartner security and risk trends for 2021, many of which are driven by recent events such as security breaches and the COVID-19 pandemic.

“In the past year, the typical enterprise has been turned inside out,” says Peter Firstbrook, VP Analyst, Gartner. “As the new normal takes shape, all organisations will need an always-connected defensive posture, and clarity on what business risks remote users elevate to remain secure.”

This year’s security and risk trends highlight ongoing strategic shifts in the security ecosystem that aren’t yet widely recognised, but are expected to have broad industry impact and significant potential for disruption.

Trend No. 1: Cybersecurity mesh 

The cybersecurity mesh is a modern conceptual approach to security architecture that enables the distributed enterprise to deploy and extend security where it is most needed. 

When COVID-19 accelerated digital business, it also accelerated the trend wherein many digital assets — and individuals — are increasingly located outside of the traditional enterprise infrastructure. Additionally, cybersecurity teams are being asked to secure countless forms of digital transformation and other new technologies. This requires security options that are flexible, agile, scalable and composable — those that will enable the organisation to move into the future, but in a secure manner. 

Trend No. 2: Cyber-savvy boards

With an increase in very public security breaches and increasingly complex security setups, boards are paying more attention to cybersecurity. They recognise it as a huge risk to the enterprise, and are forming dedicated committees that focus on discussing cybersecurity matters, often led by a board member with security experience (such as a former CISO) or a third-party consultant. 

This means that the organisation’s CISO can expect increased scrutiny and expectations, alongside an increase in support and resources. CISOs will need to improve their communication and should expect tougher questions from the board as a result. 

Trend No. 3: Vendor consolidation

The reality of security today is that security leaders have too many tools. Gartner found, in the 2020 CISO Effectiveness Survey, that 78% of CISOs have 16 or more tools in their cybersecurity vendor portfolio; 12% have 46 or more. Too many security vendors results in complex security operations and increased security headcount. 

Most organisations recognise vendor consolidation as an avenue for reduced costs and better security, with 80% of organisations interested in vendor consolidation strategy. Large security vendors are responding with better integrated products. However, consolidation is challenging and often takes years to roll out. Although lower cost is often a driver of this trend, more streamlined operations and reduced risk are often more achievable. 

Trend No. 4: Identity-first security

The perfect storm of several events made identity as the new perimeter a trend, including COVID-19, resulting in remote work and technical and cultural shifts. Identity-first security has been considered the gold standard for a while, but because many organisations remained in more traditional setups, it wasn’t a focus. 

Now that the pandemic has pushed organisations to fully (or mostly) remote, this trend has become vital to address. The result of these technical and culture shifts is that “identity first security” now represents the way all information workers will function, regardless of whether they are remote or office-bound. 

Trend No. 5: Managing machine identities as a critical security capability

As digital transformation progresses, organisations are seeing increased numbers of non-human entities, which means managing machine identities has become a vital part of the security strategy. Included in machine identities (as opposed to human identities) are workloads (i.e., containers, applications, services) and devices (mobile devices, desktop computers, IoT/OT devices).

As the number of devices increases — and continues to grow — establishing an enterprise-wide strategy for managing machine identities, certificates and secrets will enable the organisation to better secure digital transformation. 

Trend No. 6: Remote working is now just work 

According to the 2021 Gartner CIO Survey, 64% of employees are now able to work from home, and two-fifths actually are working from home. As a result of COVID-19, what was once only available to executives, senior staff and sales is now widely available, with plans to shift some employees to remote permanently post pandemic. From a security perspective, this requires a total reboot of policies and tools and approved machines to better mitigate the risks. 

Trend No. 7: Breach and attack simulation 

A new market is emerging to help organisations validate their security posture. Breach and attack simulation (BAS) offers continuous testing and validation of security controls and tests the organisation’s posture against external threats, as well as offering specialised assessments and highlighting the risks to high-value assets like confidential data. Plus, BAS includes training to enable security organisations to mature. 

These tools will help immediately identify issues when it comes to the efficacy of security controls, configuration issues and detection capability. The ability to run this kind of assessment repeatedly and across a range of attack techniques enables better security assessments in near real-time. 

Trend No. 8: Privacy-enhancing computation techniques

Privacy-enhancing computation (PEC) techniques are emerging that protect data while it is being used — as opposed to while it’s at rest or in motion — to enable secure data processing, sharing, cross-border transfers and analytics, even in untrusted environments.

This technology is rapidly transforming from academic research to real projects delivering real value, enabling new forms of computing and sharing with reduced risk of data breaches.