Our Analysis: Gartner’s Hype Cycle for Risk Management, 2018

Bob Post, Senior Practice Director, Cyber Risk Advisory, Coalfire

For those of us charged with managing cyber risk as well as planning and budgeting for cybersecurity, the Gartner “Hype Cycle for Risk Management, 2018” provides some helpful perspectives that are useful in setting both priorities and expectations.

For complimentary access to the full report, fill out this registration form and we will send you a link.

Gartner’s framework depicts buyer expectations on one axis and time on another, and solutions typically progress through the following phases: Innovation Trigger, Peak of Inflated Expectations, Trough of Disillusionment, Slope of Enlightenment, and Plateau of Productivity. 


Coalfire's viewpoint

When you look at the items in the “Peak of Inflated Expectations,” you can almost read the past year’s headlines behind them. Two themes caught my eye in this year’s report – data protection/privacy and vendor risk management. These two items are the source of considerable angst and consternation among cybersecurity professionals.

Data Classification is new to the Gartner list this year, skipping the Innovation Trigger phase and moving right to the Peak. And it is a difficult challenge: The Gartner report notes that “Data classification can be associated with attempting the impossible — to identify, tag and store all of an organization's data without first taking into account the utility and value of that data.”  Why?  From Coalfire’s view, it requires more than technology; it requires strong and mature governance practices and changes to organizational behavior. In my experience, changing people and processes is harder than implementing new technologies. But without that change, you don’t get the full benefits of the technology. 

With the European Union’s General Data Protection Regulation (GDPR) now in effect and other pending but similar activities in the United States at the state level (read about California Consumer Privacy Act of 2018), organizations have very high expectations for all things surrounding privacy. This goes deeper than protecting personally identifiable information. It goes to how an organization uses the data it collects.

Privacy Impact Assessments made the jump from Innovation Trigger to Peak of Inflated Expectations.  Much like Data Classification, this is as much people and process as it is technology. Multiple stakeholders including General Counsel, Business Process Owners, and the Chief Information Security Officer (CISO) must come together and devise a way to meet regulatory requirements, customer expectations, and business needs. This ties in closely with two other items residing firmly in the Peak of Inflated Expectations – Data Analytics and Governance and Privacy by Design.

While mandated by numerous regulations across multiple sectors, IT Vendor Risk Management has managed to remain within the Trough of Disillusionment. The report points out a few factors as to why. 

I hope that you find this Gartner report and my observations useful as you contemplate future investments. Again, if you would like access to this report, you can get it here. Or, if you would like to discuss this report or any other cyber risk-related topic, I’d love to hear from you. I’m reachable at bob.post@coalfire.com or through your Coalfire account manager.

Gartner: Hype Cycle for Risk Management, 2018, John A. Wheeler, 13 July 2018

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Coalfire.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings, or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Bob Post


Bob Post — Senior Practice Director, Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS