Cyber security leaders will face a mix of challenges and opportunities this year influenced by generative AI (GenAI) evolution, digital decentralising, supply chain interdependencies, regulatory change, endemic talent shortages and a constantly evolving threat landscape. Gartner senior principal analyst Alex Michaels said security and risk management (SRM) leaders face a mix of challenges and opportunities this year, with a goal to enable transformation and embed resilience. “Their efforts in achieving both are crucial to support their organisation’s aspirations to not only innovate, but ensure their innovations are secure and sustainable in a fast-changing digital world,” he said. GenAI driving data security programs Most security efforts and financial resources are traditionally focused on protecting structured data such as databases. However, the rise of GenAI has transformed data security programs shifted the focus onto the to protect unstructured data text, images and videos. “Many organisations have completely reoriented their investment strategies, which has significant implications for large language model (LLM) training, data deployment and inference processes,” said Michaels. “Ultimately, this shift underscores the changing priorities that leaders must address as they communicate the impact of GenAI on their programs.” Managing machine identities The increasing adoption of GenAI, cloud services, automation and DevOps practices has led to the prolific use of machine accounts and credentials for physical devices and software workloads. If left uncontrolled and unmanaged, machine identities can significantly expand an organisation's attack surface. Gartner said SRM leaders are under pressure to build a strategy to implement robust machine identity and access management (IAM) to protect against attacks, but it must be a coordinated enterprise-wide effort Tactical AI Mixed AI implementation has led SRM leaders to reprioritise their initiatives and focus on narrower use cases with direct measurable impacts. They are looking to align AI practices and tools with existing metrics and fitting them into existing initiatives. According to Gartner, this will give them an enhanced visibility of the real value of AI investments. “SRM leaders now have clear responsibilities to secure third-party AI consumption, protect enterprise AI applications and improve cybersecurity with AI,” said Michaels. “By focusing on more tactical, demonstrably beneficial improvements, they can minimise the risks for their cybersecurity programs and can more easily demonstrate progress.” Cyber security technology optimisation With the overwhelming number of vendors in the cyber security space, SRM leaders need to optimise their toolsets to build more efficient and effective security programs. Gartner recommends aiming for a balance that procurement, security architects, security engineers, and other stakeholders are satisfied with maintaining the right security posture. To achieve this, SRM leaders should consolidate and validate core security controls and focus on architecture that enhances portability of data. Threat modeling and organizational technology drivers such as AI adoption can also be used to assess advanced needs. Culture program value Security behaviour and culture programs (SBCPs) have reached an inflection point for most organisations. Effective SRM leaders recognise the value these programs bring to improve their cybersecurity posture. This trend is gaining traction due to increasing recognition that both good and bad human behavior are critical components of cybersecurity. As a result, cultural and behavior-focused activities have become a prominent approach to address cyber-risk comprehension and ownership at the human level. This reflects a strategic shift toward embedding security into the organizational culture. Addressing cyber security burnout SRM leader and security team burnout are key concerns for an industry already impacted by a systemic skills shortage, Gartner said. This pervasive stress stems from relentless demands associated with securing highly complex organisations in constantly changing threat, regulatory and business environments, with limited authority, executive support and resources. “Cyber security burnout and its organisational impact must be recognised and addressed to ensure cyber security program effectiveness,” said Michaels. “The most effective SRM leaders are not only prioritising their own stress management, they are investing in teamwide wellbeing initiatives that demonstrably improve personal resilience.”