Gartner’s Top IT Security Projects for 2019

At this week’s Gartner Security Summit in National Harbor, Maryland, Gartner analyst Brian Reed outlined 10 cybersecurity projects that could help enterprises reduce security risk.

Reed also noted enterprise spending priorities. CASB tops the list by a wide margin, with 46% compound annual growth (CAGR) expected through 2022, followed by encryption at 23.7% annual growth, threat intelligence at 20.6% and privileged access management (PAM) at 17%.

The list of top projects includes five holdovers from the 2018 list and five new projects. The goal was to find projects with high business and risk reduction impact that can be budgeted and staffed this year.

Before tackling new security projects, Reed emphasized that enterprises should first get the basics right:

Top security projects for 2019

Of the 10 security projects, the five holdovers from 2018 are: privileged access management; vulnerability management; detection and response; cloud security posture management; and CASB.

The five new projects are: business email compromise; dark data discovery; security incident response; container security; and security ratings services.

1. Privileged Access Management

Among Reed’s recommendations were multi-factor authentication for all admins and PAM for third-party access.

He listed the following vendors in the PAM space:

  • ARCON
  • Hitachi ID
  • BeyondTrust
  • Lieberman
  • Broadcom-CA
  • One Identity
  • Centrify
  • Osirium
  • CyberArk
  • Senhasegura
  • Fox Technologies
  • Thycotic
  • Fudo Security
  • WALLIX

2. CARTA-inspired vulnerability management

CARTA – Continuous Adaptive Risk and Trust Assessment – is Gartner’s strategic concept for information security. Reed recommended a similar risk-based approach to patch management that focuses on systems and vulnerabilities with higher risk. He listed the following vendors as potential partners:

  • Core Security
  • Skybox Security
  • Kenna Security
  • Tenable.io
  • NopSec
  • Qualys
  • RedSeal
  • RiskSense
  • Risk Based Security

3. Detection and response

Reed said that mean time to detect and respond is the new standard for effective security against attackers. As only 20% of endpoints are protected by endpoint detection and response (EDR), there’s a lot of room for improved security here. He listed the following vendors:

  • BlackBerry Cylance
  • McAfee
  • Carbon Black
  • Microsoft
  • Cisco
  • Sophos
  • CrowdStrike
  • Symantec
  • Cybereason
  • Tanium
  • Endgame
  • Trend Micro
  • FireEye

4. Cloud security posture management (CSPM)

Reed’s list included two cloud projects: Cloud security posture management (CSPM) and Cloud Access Security Brokers (CASB). CSPM is focused more on the operational aspects of enterprises than CASB or cloud workload protection, such as monitoring, DevSecOps and risk identification. Reed said vendors include:

  • Alert Logic
  • Microsoft Azure
  • Amazon
  • Qualys
  • Bitglass
  • Symantec
  • CloudAware
  • Tenable.io
  • CloudCheckr
  • Google Cloud
  • McAfee

5. CASB

Reed said CASB is for enterprises looking for visibility and central management of policy and governance across multiple cloud services. CASB vendors include:

  • Bitglass
  • Microsoft
  • CensorNet
  • Palo Alto Networks
  • CipherCloud
  • Proofpoint
  • Cisco
  • Symantec
  • Forcepoint
  • Fortinet
  • McAfee

6. Business email compromise (BEC)

A business email compromise (BEC) attack steals funds or sensitive data by exploiting normal business processes using pure social engineering tactics rather than malicious URLs or attachments and thus bypasses traditional security processes. Reed said enterprises need technology that can inspect message context by looking at the trustworthiness and authenticity of the sender. Security awareness training and web browser isolation are other controls. BEC vendors include:

  • Abnormal Security
  • Mimecast
  • Agari
  • PhishLabs
  • Area 1 Security
  • Proofpoint
  • GreatHorn
  • Terranova
  • Graphus
  • Trend Micro
  • INKY
  • Valimail
  • Ironscales

7. Dark data discovery project

Reed said “dark data” is data that was once operationally valuable but over time has become “dark,” meaning it has unknown risks and no value. Vendors that could help include:

  • Active Navigation
  • Micro Focus
  • Adlib
  • SailPoint
  • Druva
  • Spirion
  • Formpipe
  • STEALTHbits
  • Ground Labs
  • TITUS
  • IBM
  • Varonis
  • Index Engines

8. Incident response

Reed said security incidents are inevitable, but having an incident response vendor on retainer “is not a replacement for good security processes and preparedness.” IR vendors include:

  • AT&T
  • Kroll
  • Blackberry Cylance
  • Kudelski Security
  • Booz Allen Hamilton
  • McAfee
  • Cisco
  • Rapid7
  • Crowdstrike
  • Secureworks
  • FireEye (Mandiant)
  • Stroz Friedberg
  • IBM
  • Verizon

9. Container security

Reed said more than half of enterprises have at least one container-based application in development or production, making container security a growing need. “Make sure these are secured from inception,” he said. Container security vendors include:

  • Aqua Security
  • Trend Micro
  • McAfee
  • Twistlock
  • NeuVector
  • Qualys-Layered Insight
  • StackRox
  • Symantec

10. Security ratings services

Reed also recommended a security ratings services project focused on risks associated with digital ecosystems, going beyond internal security posture, to the supply chain, regulators, customers and partners. Security ratings services vendors include:

  • BitSight
  • NormShield
  • CORAX
  • PANORAYS
  • Cyence
  • RiskRecon
  • CORAX
  • Security Scorecard
  • UpGuard
  • CyRating
  • FICO

IT security priorities

Reed said if an enterprise can do only two things this year, it should implement MFA for admins and a CARTA-inspired approach to vulnerability management.

He also recommended a default deny posture on server, network and application access.

Paul Shread
Paul Shread
eSecurityPlanet Editor Paul Shread has covered nearly every aspect of enterprise technology in his 20+ years in IT journalism, including award-winning articles on endpoint security and virtual data centers. He wrote a column on small business technology for Time.com, and covered financial markets for 10 years, from the dot-com boom and bust to the 2007-2009 financial crisis. He holds a market analyst certification. In a previous life he worked for daily newspapers, including the Baltimore Sun, and spent 7 years covering the federal government. Al Haig once compared him to Bob Woodward (true story - just ask Google).

Latest articles

Top Cybersecurity Companies

Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.

Related articles