Security leaders must steer away from a zero tolerance for failure approach to cybersecurity and adopt and embrace augmented cybersecurity in order to thrive.
Speaking at the Gartner Risk and Security Summit, analysists urged cybersecurity leaders to consider response and recovery, as this is where the largest maturity gap lies, compared to prevention.
While prevention remains important, the analysts argued that this is “mere survival” in an ever-expanding threat landscape.
“We'd need tons more prevention than anyone's going to fund us for. We could spend 10 times what we do today on preventing cyber-attacks and still every organization in this room would be massively exposed,” Christopher Mixter, VP Analyst at Gartner, noted.
Mixter argued that there has been a collective under-investment in response and recovery.
“It is this under-investment that is driving security teams into the ground,” he said.
The analysts noted that unrealistic expectations have been placed on security teams to never fail, not to experience any incidents, whereas the truth is that all organizations accept some levels of risk.
Akif Khan, VP Analyst, Gartner said, “Cyber-attacks are not just possible. They are inevitable. Which is why we must discard the zero tolerance of failure mindset. And instead elevate response and recovery to have equal status with prevention.”
In order to achieve this the analysts outlined three areas of development:
- Shifting leaders away from that zero tolerance for failure mindset
- Maturing towards a minimum effective toolset to reduce the effort required to manage your cyber technology function
- Building a resilient cyber workforce that has strong self-care and prioritizes mental health support
AI and Third-Party Risk
“With a rapidly evolving tech like GenAI it is impossible to prevent all attacks 100% of the time. Therefore, your ability to adapt to respond and recover from the inevitable issues becomes critical to enable your organization to explore GenAI successfully,” said Khan.
Gartner expects a 15% increase in incremental spending to secure Gen AI tools.
The analysts recommended implementing an AI handbook in order to manage the security of AI within the organization.
The firm also highlighted third-party risk from vendors. It recommended that organizations have a formal third-party contingency plan, including an exit strategy, for when an incident may occur with a vendor.
Such a plan can lead to a 43% improvement in effectiveness of third-party cyber risk management, according to Gartner.
But they also highlighted that other organizations must work with their vendors to lift the cybersecurity market and maturity among vendors.
Gartner’s Minimum Effective Toolset
Gartner first introduced the idea of a minimum effective toolset to the global marketing in 2023 and took the opportunity to reinforce the proposition at the 2024 conference.
The approach means leaders must consider what is the smallest number of tools needed to observe, defend and respond to exploitations of the organization's exposures.
The analysts recommended creating an inventory of what an organization already has and understanding where there are candidates for streamlining.
However, they warned against consolidating down to one single vendor as there is much innovation within the cybersecurity market that can be taken advantage of.
Resilient Cybersecurity Workforce
“We must also make experimentation and failure safe,” Khan said.
Mixter encouraged organizations to move away from “hero behavior” where success stems from not having an incident, and instead celebrating the failures for the learning experiences and opportunities they provide.
It was also recommended that self-care is built into workflows in order to avoid burnout.
Gartner also highlighted that resiliency should be regarded as a competency.