This article has been updated from the original, published on May 24, 2018, to reflect new events, conditions or research.

Critical data breaches are in the news on a regular basis these days. A single breach can result in massive losses, both in money and reputation. Stock prices drop, customers become angry and business goals are jeopardized.

“Security and risk management leaders have operated in the shadows for a long time. Now it’s their opportunity to shine”

Security — once merely a small part of enterprise IT — is now a significant function, crucial for organizational success. This has elevated the role of security and risk management (SRM) leaders, who are currently faced with the difficult task of protecting their organizations from harmful cyberattacks and tougher regulators with increased expectations

“Security and risk management leaders have operated in the shadows for a long time. Now it’s their opportunity to shine,” said Peter Firstbrook, research vice president at Gartner. “If they exploit emerging trends and build a strong security program, they can keep their organization safe and significantly elevate their standing.”

Firstbrook identified the six major upcoming security and risk management trends, along with some of their key impacts.

Trend No. 1: The spotlight is on

Security breaches threaten C-level jobs and cost organizations millions of dollars, as proven by Equifax and Maersk. As a result, business leaders and senior stakeholders now focus much more on what is going on in the security department. SRM leaders should capitalize on this increased attention and work closely with business stakeholders to link security strategy with business initiatives. This is also a perfect opportunity to address skill shortages and increase professional development of the internal security workforce.

“When speaking with senior executives, an important but often neglected aspect is the language barrier,” said Firstbrook during the Gartner Security and Risk Management Summit 2018. “Speak the language of the business and don’t lose yourself in technical terms when you deal with the C-suite.”

Trend No. 2: Regulations enforce change

The rise of data breaches forces enterprises to comply with an increasingly complex legal and regulatory environment, including Europe’s General Data Protection Regulation(GDPR).

Data is both an asset and a potential liability. Digital business plans must weigh both and seek innovative solutions to lower costs and potential liabilities. “Leading organizations are focused on how a compliance program can act as a business enabler,” explained Firstbrook. “The message SRM leaders must communicate to CEOs is that data protection has both costs and risk but can also be used as a business differentiator.”

Trend No. 3: Security moves to the cloud

Enterprise security organizations are getting buried under the maintenance burden of legacy security solutions. Cloud-delivered security products are more agile and can implement new detection methods and services faster than on-site solutions.

But not all cloud security services are created equal. Exploiting the cloud is more than moving legacy management servers to the cloud. SRM leaders should look for solutions that take full advantage of cloud scale, increased data telemetry, staff augmentation, machine learning, API-based access, and other services and products that are disruptive to the status quo.

Trend No. 4: Machine learning becomes the watchdog

By 2025, machine learning (ML) will be a normal part of security practice and will offset some skills and staffing shortfalls. In its current state, ML is better at addressing narrow and well-defined problem sets, such as classifying executable files. We can’t escape the fact that humans and machines complement each other, and together they can outperform each alone. Machine learning reaches out to humans for assistance to address uncertainty and aids them by presenting relevant information.

“We cannot escape the immutable fact that humans and machines complement each other,” said Firstbrook. “Together they can outperform either alone.”

Today it is difficult to unpack the difference between marketing and good ML. SRM leaders should focus on how AI makes its product superior in terms of efficacy and administrative requirements. Keep in mind that ML requires human assistance, but the key question is where that assistance comes from.

Trend No. 5: Origin beats pricing

The recent U.S. government bans against Russian-based security products and Chinesesmartphones are only the latest results of a growing distrust of the influence of competitive world powers in cyberspace. Organizations that deal with government agencies should be especially sensitive to the geopolitical demands of their upstream and downstream business relationships.

All security and product buying decisions are based on trust in the integrity of the supplier. SRM leaders should start to incorporate geopolitical risk in all business-critical software, hardware and services purchasing decisions and, where necessary, consider local alternatives.

Trend No. 6: Concentrations of digital power

Increased centralization has put the power of digital into the hands of a few. This means digital trust has been consolidated and rests with a few big players — in form of certificates, domains and email providers — which raises security concerns. As centralization gives way to monopolies and monocultures, the risk of disruptions and undesirable outcomes increases.

Consequently, we see a rise in efforts to create decentralized alternatives such asblockchain and edge computing, which moves computing resources away from centralized servers. The ultimate goal of these decentralization approaches is to increase availability, security and privacy for users. However, this tech is still an emerging area.

Security and risk management leaders envisioning constraints on digital business plans as a result of a concentration of resources should:

• Evaluate the security implications of centralization on availability, confidentiality and resiliency on digital business plans.
• Explore an alternative decentralized architecture in digital business planning initiatives where centralization increases the risks to the business goals.