For those of us charged with managing cyber risk as well as planning and budgeting for cybersecurity, the Gartner “Hype Cycle for Risk Management, 2018” provides some helpful perspectives that are useful in setting both priorities and expectations.
For complimentary access to the full report, fill out this registration form and we will send you a link.
Gartner’s framework depicts buyer expectations on one axis and time on another, and solutions typically progress through the following phases: Innovation Trigger, Peak of Inflated Expectations, Trough of Disillusionment, Slope of Enlightenment, and Plateau of Productivity.
When you look at the items in the “Peak of Inflated Expectations,” you can almost read the past year’s headlines behind them. Two themes caught my eye in this year’s report – data protection/privacy and vendor risk management. These two items are the source of considerable angst and consternation among cybersecurity professionals.
Data Classification is new to the Gartner list this year, skipping the Innovation Trigger phase and moving right to the Peak. And it is a difficult challenge: The Gartner report notes that “Data classification can be associated with attempting the impossible — to identify, tag and store all of an organization's data without first taking into account the utility and value of that data.” Why? From Coalfire’s view, it requires more than technology; it requires strong and mature governance practices and changes to organizational behavior. In my experience, changing people and processes is harder than implementing new technologies. But without that change, you don’t get the full benefits of the technology.
With the European Union’s General Data Protection Regulation (GDPR) now in effect and other pending but similar activities in the United States at the state level (read about California Consumer Privacy Act of 2018), organizations have very high expectations for all things surrounding privacy. This goes deeper than protecting personally identifiable information. It goes to how an organization uses the data it collects.
Privacy Impact Assessments made the jump from Innovation Trigger to Peak of Inflated Expectations. Much like Data Classification, this is as much people and process as it is technology. Multiple stakeholders including General Counsel, Business Process Owners, and the Chief Information Security Officer (CISO) must come together and devise a way to meet regulatory requirements, customer expectations, and business needs. This ties in closely with two other items residing firmly in the Peak of Inflated Expectations – Data Analytics and Governance and Privacy by Design.
While mandated by numerous regulations across multiple sectors, IT Vendor Risk Management has managed to remain within the Trough of Disillusionment. The report points out a few factors as to why.
I hope that you find this Gartner report and my observations useful as you contemplate future investments. Again, if you would like access to this report, you can get it here. Or, if you would like to discuss this report or any other cyber risk-related topic, I’d love to hear from you. I’m reachable at firstname.lastname@example.org or through your Coalfire account manager.
Gartner: Hype Cycle for Risk Management, 2018, John A. Wheeler, 13 July 2018
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Coalfire.
Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings, or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.