Gartner 8 Cybersecurity Predictions 2023-2026

In late June 2022, Gartner held Security and Risk Management Summit in Sydney. One of the most discussed subjects was the opening keynote by the company’s two top executives, Rob McMillan and Richard Addiscott. They shared Gartner 8 Cybersecurity Predictions 2023.

In this article, we provide an overview of these predictions and outline ways for companies to make the most of them.

Gartner 8 Cybersecurity Predictions 2023-2026: Summary

In this section, we provide a short summary of all the predictions that Gartner made for the upcoming 4 years.

1. Privacy regulations

The number of states introducing laws and regulations protecting consumer privacy will increase. The number of protected individuals will expand from 3B to 5B in 2023.

2. Cloud services unification

In the past years, the number of cybersecurity solutions used by a single organization has significantly increased. It creates additional operational pressure on cybersecurity employees who have to switch between different applications and platforms on a daily basis.

Reasonably, up to 80% of enterprises will choose a security service edge solution, namely a single pane of glass that secures access to cloud services, the Internet, and private applications.

3. Ransomware response regulations

The number of ransomware attacks is growing every year hitting businesses, governments, healthcare organizations, and supply chains. These incidents impact the lives of millions of people. Though states never interfere in what ransomware response measures companies choose to take, it is likely to change in the future.

Gartner predicts that ransomware-related negotiations, payments, and fines will be regulated by law in 20% of countries by the end of 2025.

4. Zero Trust adoption

The openness of corporate networks before and during the pandemics made them vulnerable to external and internal cybersecurity threats. It became obvious that a new approach to data access is necessary.

Zero Trust as a leading principle in cybersecurity will be adopted by 60% of organizations, most not understanding its advantage.

5. Cyber risk impact on third-party transactions

Since it became harder to target enterprises, cyber criminals switched to companies that provide services for them. That’s why we’ve seen the strikes on supply chains and service providers surge in recent years.

Responding to the new threats, 60% of organizations will make decisions on business engagements and third-party transactions based on the related cybersecurity risks in 2025.

6. The weaponization of operational technology

Gartner predicts human casualties due to the cyber attacks on operational technology that have increased in number lately.

7. Organizational resilience in the age of disruption

The COVID era showed the inability of many companies to efficiently encounter a large-scale crisis, respond, and adapt. In the upcoming year, experts predict more disruptions in politics, economics, civil society, and the digital environment.

That’s why organizational resilience is becoming increasingly important. And about 70% of CEOs will introduce it as a culture in their companies by 2025.

8. The shift of accountability for the cyber risks

Gartner has seen a change in the perception of cybersecurity risks by businesses and stakeholders. Previously, they were predominantly viewed as an issue for IT departments. Now, they are an integral part of business risks.

As a result, the ability to efficiently mitigate cybersecurity risks will become a performance requirement for at least 50% of C-level executives by 2026.

Read the whole report here.

Key outcomes of top eight cybersecurity predictions by Gartner

In addition to listing Gartner’s trends, we’d like to outline their more subtle outcomes for companies. To that end, we divided all the trends into two categories: the impact on the business operations and the impact on the cybersecurity architecture of enterprises, and later SMBs.

Business operations and IT

As mentioned before, we’ll see a major change in how businesses establish partnerships and make purchasing decisions paying increasing attention to the cybersecurity risks.

Most likely these processes will become a part of larger-scale overall organizational resilience programs. Furthermore, because cybersecurity risks will be a part of business risks the top management will be responsible for creating and implementing these programs.

This shift will require top management to learn more about cybersecurity since their performance will depend on it. Another possible consequence is strengthening the direct control over IT departments and their general involvement in building cybersecurity programs. On the other hand, IT teams will have more impact on their organization.

There’s a less obvious outcome: the IT specialists will become more engaged in business processes that used to be beyond their responsibilities. And it will mean an additional load on their day-to-day tasks as well as supplementary requirements to their knowledge and skills. Many companies will likely expect their IT specialists to understand the key business processes deeper.

Organizations should also keep in mind the talent gap and general overload of cybersecurity employees due to stress with a reported 90% of professionals considering leaving the profession. Taking into account the necessity to be more actively engaged in multiple business processes, IT pros might feel even more pressure that will force them to quit jobs or even their profession.

Cybersecurity architecture

Cybersecurity architecture will be changing in the future towards a more “strict” one. Partially, it’s due to the surge of cybercrime but also due to the increasing regulations in privacy protection and ransomware response. Partially it’s due to the impact that cyber events can have not only on businesses but also on human lives.

We’ll see an increase in internal IT security policies, controls, and operations, which requires either more tools or platforms that will offer broader functionality. Furthermore, the companies will be seeking tools that help implement a zero-trust approach.

We’ll be living in a world of more strict regulations on cybersecurity in a couple of years. First, new privacy regulations will make data protection even more critical than it is now. Second, there’ll be new ransomware regulations. We don’t know yet what kind of regulations around ransomware response the governments will introduce. However, we believe it will pose additional challenges to companies hit by this type of malware.

Finally, we’ll see a more integrated approach to cybersecurity with a strengthened focus on incident response and the methods to minimize the impacts of such events.

Similar to business operations, the shift of cybersecurity integration will create additional load and stress on information security teams.

What organizations can do to meet the upcoming challenges and fit into the new cybersecurity paradigm?

We believe companies should have a comprehensive approach to the outlined trends.

More cybersecurity training for all employees that work with IT tools. It should be carried out on a regular basis.
Businesses should seek software solutions that will enable them to take access to the data under their control.
Ransomware prevention and protection should become an integral part of cybersecurity policy.
Companies should consider purchasing software that is able to detect and stop ransomware rather than tools that address the outcomes of this problem (e.g. decryption keys).
Organizations should acquire cybersecurity automation solutions to decrease the workload of their workers.
They should opt for tools that have multiple cybersecurity functions and work on multiple platforms.

SpinOne is a multifunctional data protection platform for Google Workspace, Microsoft Office 365, and Salesforce that will enable you to meet the upcoming cybersecurity challenges. It enables IT teams to automate key data protection operations:

SpinOne provides 24/7 ransomware monitoring, immediate detection, and attack termination.
It enables companies to implement a zero-trust approach with its login and access monitoring functionality as well as shadow IT detection.
It will help businesses to comply with privacy regulations by providing monitoring of PII in GW and MSO 365.
SpinOne is an integrated platform that works with key SaaS tools like Google Workspace, Microsoft Office 365, and Salesforce.
SpinOne helps retrieve lost data as it has Salesforce, GW, and Office backup.

Frequently Asked Questions

What are the major US data privacy protection laws?

The US data privacy protection landscape consists of the patchwork of state data privacy laws. As of August 2023, when we are answering this question, comprehensive data privacy laws have been enacted in five states: California, Colorado, Connecticut, Utah, and Virginia.

The California Consumer Privacy Act (CCPA)
The Virginia Consumer Data Protection Act (CDPA)
The Colorado Privacy Act (CPA)
The Utah Consumer Privacy Act (UCPA)
The Connecticut Data Privacy Act (CTDPA)

Of these five laws, CCPA is the toughest legislation, while UCPA is the most business-friendly one.

What is the US ransomware legislation?

There are several pieces of bills targeting ransomware have been introduced in the US in recent years. However, the only law enacted so far is the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) as of March 8, 2022. This US federal law requires organizations that operate in critical infrastructure to report certain cybersecurity incidents, including ransomware incidents, to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of the incident occurring.

What are the US federal laws to protect privacy?

There is a mix of federal industry-specific laws in the United States that protect privacy. These laws vary in their scope and focus, but they all share the goal of protecting individuals’ personal information. These include (but are not limited to):

The Privacy Act of 1974 protects the privacy of individual’s personal information that is collected by federal agencies.
The Health Insurance Portability and Accountability Act (HIPAA) targets the privacy and security of health information.
The Gramm-Leach-Bliley Act (GLBA) protects the privacy of financial information.

Although these laws protect the privacy of specific data types, like health information or financial data, they cannot solve the issue of protecting all data at the federal scale. The draft bill of comprehensive federal data protection legislation titled the American Data Privacy and Protection Act (ADPPA) was released on June 3, 2022. Now it is expected to be passed.