Privacy bills, ransomware attacks, cyber-physical systems, and board-level scrutiny are emerging as priorities for security and risk leaders.

“How do we ensure our consumers are not physically harmed by rogue agents?” This is a question that security and risk leaders need to anticipate and plan for in the future.

The proliferation of cyber-physical systems (e.g. self-driving cars, digital twins) raises another security risk for organizations. And one of our first predictions for the next few years is how threat actors will target these systems.

“We’re getting into the bad habit of eating out of the box, trying to eat everything in one go,” Gartner principal analyst Sam Olyaei said in a presentation at Gartner IT Symposium/XPO? 2021. “It’s actually unsustainable, we need to keep improving our thinking, concepts, solutions and structures.”

Safety and risk management have risen to corporate board level issues. As the number and sophistication of security breaches continues to rise, new legislation has been introduced to protect consumers, and companies are placing security at the forefront of business decisions.

Gartner analysts predict that more decentralization, regulatory measures and security concerns will emerge in the coming years. You should incorporate these strategic planning assumptions into your route planning for the year ahead.

1. By the end of 2023, the Modern Privacy Act will cover the personal information of 75% of the world’s population

The GDPR was the first major piece of legislation targeting consumer privacy, but other laws soon followed, including Brazil’s General Personal Data Protection Act (LGPD) and California Consumer Privacy Act (CCPA). The breadth of these laws means that you will be dealing with multiple data protection laws simultaneously in different jurisdictions, and customers will want to know what data you collect and how it will be used. It also means you need to focus on automating your privacy management system. You should standardize your security operations based on the GDPR and then adjust for each other jurisdiction.

2. By 2024, organizations adopting a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90%

Today, organizations need to support various technologies in different places because they need flexible security solutions. The cybersecurity mesh extends and covers identities beyond traditional security perimeters and builds a holistic view of the organization. It also helps improve the safety of remote work. These demands will drive more organizations to adopt grid architectures over the next two years.

3. By 2024, 30% of enterprises will adopt cloud-delivered Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA) and Firewall as a Service (FWaaS) capabilities from the same vendor

Businesses are leaning towards optimization and consolidation. Security leaders typically manage dozens of tools, but they plan to consolidate them to less than ten. SaaS will be the preferred delivery method, and its integration with hardware will impact the timeframe for adoption.

4. By 2025, 60% of organizations will cite cybersecurity risk as a major determinant of third-party transactions and business dealings.

Investors, especially venture capitalists, are using cybersecurity risk as a key factor in evaluating investment opportunities. An increasing number of organizations are focusing on cybersecurity risks in business transactions, including mergers and acquisitions, and supplier contracts. The result is additional cybersecurity program data for partners through questionnaires or security ratings.

5. By the end of 2025, the proportion of nation-states that have passed legislation to regulate ransomware payments, fines and negotiations will rise to 30%, up from less than 1% in 2021.

While there may be broader regulations that apply to ransomware ransom payments today, security experts should expect a tougher crackdown on ransom payments in the future. Given that the cryptocurrency market is largely unregulated, there are ethical, legal, and ethical implications for paying ransoms, and the implications must be taken into account. The decision to pay (or not pay) should be taken by a cross-functional team that can address all of these issues.

6. By 2025, 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member

As cybersecurity becomes (and continues to be) a top concern for boards, we can expect to see a board-level cybersecurity committee, as well as greater oversight and scrutiny. This increases organizations’ visibility into cybersecurity risks and requires a new approach to board reporting, the details of which may depend on the background and experience of a particular board member. You should focus your messaging on value, risk, and cost.

7. By 2025, 70% of CEOs will require a culture of organizational resilience to deal with simultaneous threats from cybercrime, severe weather events, civil unrest and political unrest

Given the broader security environment, we need to move beyond cybersecurity and toward organizational resilience. Digital transformation increases the complexity of the threat landscape, which affects how you produce products and deliver services. You should begin to develop organizational resilience and goals and build a list of cyber risks that affect them.

8. By 2025, threat actors will successfully weaponize the operational technology environment enough to cause casualties

As malware spreads from the IT (Information Technology) realm to the OT (Operational Technology) realm, it shifts the security conversation from business disruption to physical harm, the responsibility for which may ultimately fall to the CEO. You should focus on asset-centric cyber-physical systems and make sure you have a team to address the corresponding management issues.