Gartner Top 10 Security Projects for 2020-2021

Security and risk management leaders should focus on these 10 security projects to drive business-value and reduce risk for the business.

“Are you trying to ensure security for your remote workforce but don’t want to hinder business productivity?” “Are you struggling with identifying risks and gaps in security capabilities?” “Where should CISOs focus time and resources?” 

Security and risk management experts constantly ask these questions, but the real question should be what projects will drive the most business value and reduce risk for the organization in a constantly shifting security landscape. 

“We can spend too much precious time overanalyzing choices we make about security, striving for this notion of perfect protection that just simply does not exist,” said Brian Reed, Sr. Director Analyst, during the virtual Gartner Security & Risk Management Summit, 2020. “We must look beyond basic protection decisions and improve organizational resilience through innovative approaches to detection and response, and ultimately, recovery from security incidents.“

Rethink the Security & Risk Strategy

Why leaders must embrace modern cybersecurity practices

Download eBook

The key is to prioritize business enablement and reduce risk — and communicate those priorities effectively to the business. 

This year’s top 10 security projects, based on Gartner forecasts and adjusted for the impact of COVID-19 — feature eight new projects, focused heavily on risk management and understanding process breakdowns. These projects, which aren’t listed in order of importance, can be executed independently. 

No. 1: Securing your remote workforce

Focus on business requirements and understand how users and groups access data and applications. Now that a few months have passed since the initial remote push, it’s time for a needs assessment and review of what has changed to determine if access levels are correct and whether any security measures are actually impeding work.

No. 2: Risk-based vulnerability management

Don’t try to patch everything; focus on vulnerabilities that are actually exploitable. Go beyond a bulk assessment of threats and use threat intelligence, attacker activity and internal asset criticality to provide a better view of real organizational risk.  

No. 3: Extended detection and response (XDR)

XDR is a unified security and incident response platform that collects and correlates data from multiple proprietary components. The platform-level integration occurs at the point of deployment rather than being added in later. This consolidates multiple security products into one and may help provide better overall security outcomes. Organizations should consider using this technology to simplify and streamline security. 

No. 4: Cloud security posture management

Organizations need to ensure common controls across IaaS and PaaS, as well as support automated assessment and remediation. Cloud applications are extremely dynamic and need an automated DevSecOps style of security. It can be challenging to secure the public cloud without a means to ensure policy uniformity across cloud security approaches. 

Read more: Top Actions From Gartner Hype Cycle for Cloud Security, 2020

No. 5: Simplify cloud access controls

Cloud access controls typically are done through a CASB. They offer real-time enforcement through an in-line proxy that can provide policy enforcement and active blocking. CASBs also offer flexibility by, for example, starting out in monitoring mode to better ensure fidelity of traffic and understand security access. 

No. 6: DMARC

Organizations use email as the single source of verification, and users struggle to determine real messages from fakes. DMARC, or domain-based message authentication, reporting and conformance, is an email authentication policy. DMARC is not a total solution for email security, and should be one piece of a holistic security approach. However, it can offer an additional layer of trust and verification with the sender’s domain. DMARC can help domain spoofing but will not address all email security issues. 

No. 7: Passwordless authentication

While employees may not think twice about using the same password for their work computer as they do for the personal email, it can cause major security headaches. Passwordless authentication, which can functionally work in a few different ways, offers a better solution for security. The goal should be to increase trust and improve the user experience. 

No. 8: Data classification and protection

All data is not the same. A one-size-fits-all security approach will create areas of too much security and others of too little, increasing the risk for the organization. Start with policies and definitions to get the process right before beginning to layer in the security technologies. 

No. 9: Workforce competencies assessment

Install the right people with the right skills in the right roles. It’s critical but challenging to combine hard technical skills with softer leadership expertise. There are no perfect candidates, but you can identify five or six must-have competencies for each project. Assess competencies in a range of ways, including cyber-ranging and cybersimulations and softer skill assessments. 

No. 10: Automating security risk assessments 

This is one way to help security teams understand risks related to security operations, new projects or program-level risk. Risk assessment tends to be either skipped entirely or done on a limited basis. These assessments will allow for limited risk automation and visibility into where risk gaps exist.  

The Best Seat in the House, Every Time

Join us virtually for this year's Gartner Security & Risk Management Summit.

View Conference

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research

Webinars

Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching