As organizations transition to digital businesses, a shortage of directly owned infrastructure and services outside of IT's control will have to be addressed by security teams, according to Gartner.
The research firm predicts that by 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk.
"Cybersecurity is a critical part of digital business with its broader external ecosystem and new challenges in an open digital world," said Paul Proctor, vice president and distinguished analyst at Gartner.
"Organizations will learn to live with acceptable levels of digital risk as business units innovate to discover what security they need and what they can afford. Digital ethics, analytics and a people-centric focus will be as important as technical controls."
Gartner has identified five key areas of focus for successfully addressing cybersecurity in digital business: leadership and governance, the evolving threat environment, cybersecurity at the speed of digital businesses, security at the new edge and cultural change.
Improving leadership and governance is arguably more important than developing technology tools and skills when addressing cybersecurity and technology risk in digital business, Gartner said.
IT risk and security leaders must meanwhile move from trying to prevent every threat and acknowledge that perfect protection is not achievable. Gartner predicts that by 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 30% in 2016.
Because igital business moves at a faster pace than traditional business, traditional security approaches designed for maximum control will no longer work in the new era of digital innovation.
IT risk and information security leaders must assess and transform their programs to become digital business enablers rather than obstacles to innovation.
Organizations also need to address cybersecurity and risks in technologies and assets they no longer own or control. Business unit IT is a fact in most modern enterprises, and it will not be shut down by cybersecurity and risk concerns. It must be embraced and managed to deliver appropriate levels of protection.
Cybersecurity must meanwhile accommodate and address the needs of people through process and cultural change. People-centric security gives each person in an organization increasing autonomy in how he or she uses information and devices.