Gartner: Ditch ‘big transformation’ cyber strategies for continuous improvement

1. Modernise identity and access management (IAM)

The proliferation of AI agents will lead to thousands of machine identities requiring authentication. Gartner predicts that by 2028, a quarter of all breaches will occur through the agent-based attack surface due to poor machine identity hygiene.

Recognising that excellent identity management can become a competitive differentiator in a world where attacks are commonplace, cyber security teams must treat and protect machine identities with the same rigour as human identities. Addescott advised investing in identity, visibility and intelligence platforms (IVIPs) to gain continuous, real-time observability over all identities.

2. Implement guardian agents

Organisations should police AI agent behaviour, particularly to prevent accidental data leakage between agents and large language models (LLMs). This can be achieved by deploying small, simple “guardian” agents that can be trained quickly – often in a single afternoon – to strip out sensitive data such as personally identifiable information (PII) and commercial secrets.

“You can use this small guardian model to create amazing value, even just as the coordinator of work, because there’s absolutely nothing that says AI has to provide all the logic, especially for deterministic business rules,” said Addescott.

3. Address the normalisation of cyber attacks

A constant barrage of cyber attacks has led to desensitisation, which could tempt executives to cut security spending. Instead of arguing directly against budget cuts, CISOs should reframe the conversation by asking: “Why do some enterprises experience less pain when they are attacked?”

The answer, Addescott said, is resilience: “It’s a mindset shift where, if we can mitigate the harm of a threat actor, that’s the same thing as preventing it.”

The concept of “impact thresholds” can help turn the idea of resilience into action. An impact threshold defines the maximum acceptable outage for specific business processes. For example, a supermarket’s procurement system cannot be down for more than a day or two before fresh produce disappears from shelves, but payment processing disruptions might be tolerated longer if suppliers are on 90-day payment terms. These thresholds establish a common set of objectives and key performance indicators (KPIs) for executives.

“What we’ve done here is define a set of victory conditions for cyber security. It’s no longer about preventing everything; it’s about preventing anything from rising above the agreed threshold. It also centres on our most winnable set of actions, which is resilience,” Addescott explained.

However, true resilience requires regular practice. Gartner’s data shows some organisations with immutable backups still pay ransoms after an attack because they lack confidence in their ability to restore data, often due to infrequent testing. Assuring stakeholders requires consistent, authentic testing of recovery playbooks and partial disaster recovery failovers to prove that the minimum systems needed to keep the company running can be quickly restored.

4. Apply AI to the security operations centre (SOC)

Even advanced threat actors use AI in mundane ways, using compromised credentials to penetrate a system and then applying AI to search logs for low-hanging fruit. Security teams should mirror this by feeding logs into a retrieval-augmented generation (RAG) pipeline to identify the same vulnerabilities attackers would exploit, and then remediating them.

Telemetry from security tools can also be fed into an LLM to create tailored security awareness content and threat simulations – potentially including deepfakes – for individual employees.

Gartner expects that by 2028, organisations effectively deploying AI in their SOCs will materially reduce the need for human-touch incidents, elevating the security analyst’s role from responder to supervisor. Addescott cited a large enterprise that detected more than 50,000 events in a single reporting period; the vast majority were handled by AI-enabled automated detection and response, leaving only a few hundred for human attention. He warned, however, that teams must determine their baseline performance metrics first to effectively measure improvements and justify future budgets.

Addescott concluded by reminding the audience that while these strategies are synergistic, they should be applied incrementally in the spirit of continuous improvement. Delivering value along the way is vital, he noted.

“We have massive, career-defining challenges trying to modernise the enterprise for machine identities and AI agents, but there’s also a massive opportunity to change our mission into something we can actually win, which is resilience,” he said. “Even as I argue that we can’t do the big transformation thing to get out of this ‘everything, everywhere, all at once’ mess, I’m actually really confident that we in cyber security can definitely innovate our way out.”