Gartner’s top 10 security predictions

Watch out for weak in-house code, data in the cloud and the Internet of things

Forward looking IT security pros need to better address known risks, monitor closely the value of shadow IT devices and solve the inherent weaknesses introduced by the internet of things, Gartner says.

The consulting firm has taken a look at five key areas of security concern that businesses face this year and issued predictions on and recommendations about protecting networks and data from threats that will likely arise in each.

The areas are threat and vulnerability management, application and data security, network and mobile security, identity and access management, and Internet of Things security. Gartner’s findings were revealed at its recent Security and Risk Management Summit by analyst Earl Perkins.

One overriding recommendation is that businesses must be aware that delaying security measures in an effort to avoid disrupting business can be a false economy.

He recommends that security pros should make decisions about protecting networks and resources based on the range of risks that known weaknesses represent to the business and its goals. Rather than thinking about their role purely as protecting, they should look at it as facilitating successful business outcomes.

Here are the predictions and recommendations:  

Threat and vulnerability management

Prediction: “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”

With attackers looking for vulnerabilities in applications as well as exploitable configurations, it’s important for businesses to patch vulnerabilities in a timely fashion. If they don’t, they stand to lose money through damage to systems and theft of data.

Prediction: “By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.”

An area of growing concern is the introduction of new technologies by business units without vetting by the security team, Perkins says. Avoiding that review and the fact that many of these technologies are new and still contain vulnerabilities makes them susceptible to attacks.

Application and data security

Prediction: “By 2018, the need to prevent data breaches from public clouds will drive 20% of organizations to develop data security governance programs.”

Data security governance will be promoted by insurance companies that will set cyber premiums based on whether businesses have these programs in place.

Prediction: “By 2020, 40% of enterprises engaged in DevOps will secure developed applications by adopting application security self-testing, self-diagnosing and self-protection technologies.”

Here Perkins looks to maturing technology called runtime application self-protection (RASP) as a way to avoid vulnerabilities in applications that might result from problems overlooked due to the rapid pace at which DevOps teams work. RASP does its work rapidly and accurately to provide protection against vulnerabilities that might be exploited, he says.

Network and Mobile Security

Prediction: “By 2020, 80% of new deals for cloud-based cloud-access security brokers (CASB) will be packaged with network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms.”

Vendors of traditional network security products such as firewalls, SWGs and WAFs want to be in on their customers protecting their SaaS applications, which is effectively accomplished via CASBs, he says. Businesses should evaluate whether CASB services are warranted based on their plans for application deployment, and should consider offers by their current vendors of these traditional technologies, he says.

Identity and Access Management

Prediction: “By 2019, 40% of identity as a service (IDaaS) implementations will replace on-premises IAM implementations, up from 10% today.”

This increase in use of IDaaS will in part stem from the difficulty and expense of running on-premises IAM infrastructure, and the growing use of other something-as-a-service offerings will make the decision more comfortable. The ongoing introduction of more and more Web and mobile applications will create a natural opportunity for the transition from in-house IAM to IDaaS, he says.

Prediction: “By 2019, use of passwords and tokens in medium-risk use cases will drop 55%, due to the introduction of recognition technologies.”

With the cost and accuracy of biometrics, they become a good option for continuously authenticating. In combination with use-r and entity-behavior analysis, this technology can make a difference when applied to cases that call for a medium level of trust, Perkins says.

Security for the internet of things (IoT)

Prediction: “Through 2018, over 50% of IoT device manufacturers will not be able to address threats from weak authentication practices.”

IoT devices are still being made without much consideration being given to security, and yet some are located in networks so that, if exploited, they could expose networks to harm and data to breaches, Perkins says. Businesses need a framework for determining the risks each IoT device type represents and the appropriate controls for dealing with them.

Prediction: “By 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets.”

Since security pros won’t be able to determine the importance that IoT devices represent to the organization, the business unit that uses them should determine what risk they represent. Security pros should set aside 5% to 10% of IT security spending for monitoring and protecting these devices as needed, he says.

Join the CSO newsletter!

Error: Please check your email address.

More about Gartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place