Believe the hype: Panaseer included in Gartner® Hype Cycle™ for Cyber-Risk Management, 2024

Continuous Controls Monitoring, the category that Panaseer has been pioneering for a decade, has once again been included in the Gartner Hype Cycle™ for Cyber-Risk Management.

Four years ago, CCM was included for the first time with Panaseer listed for the first time. At the time, there hadn’t been a new category for four years. Our founder Nik Whitfield wrote this blog about the long journey it took to create the Continuous Controls Monitoring category. It started as a concept that was first used by big budget banks with extremely well-resourced security teams and was transformed into a usable product by a small company in Surrey.

If you want to read the latest, find out more here on the Gartner Hype Cycle™ for Cyber-Risk Management, 2024.

What is the Hype Cycle™ for Cyber-Risk Management?

Gartner explains it as: “This Hype Cycle outlines how organizations can utilize concepts, methodologies, processes and technology solutions to manage cyber risks and capitalize on risk-related opportunities. Organizations must adapt their approach to cyber-risk management and align cybersecurity strategies with business objectives, prioritizing business impact and outcome orientation. This adjustment is necessary to respond to shifting business impacts, regulatory environments and international affiliations.”

What is Gartner saying about Continuous Controls Monitoring?

Here’s the Hype Cycle:

CCM is currently at the “Peak of Inflated Expectations”. Gartner describes this as: “Early publicity produces a number of success stories — often accompanied by scores of failures. Some companies take action; many do not.”

Well, we certainly have several success stories, as well as the odd challenge. But we’ve been in the CCM game for a decade and spent all that time learning and improving. So, here’s a bit of action.

One of the key Strategic Planning Assumptions of this Hype Cycle is: “By 2026, 60% of cybersecurity functions will implement business-impact-focused risk assessment methods, aligning cybersecurity strategies with organizational objectives.” This is one of the cornerstones of Panaseer’s product development. Our latest feature, the Cybersecurity Controls Scorecard, is designed with this in mind.

Unlike most cybersecurity scorecards, it’s built on data from your own security tooling as opposed to an outside perspective. The Scorecard allows security leaders to quickly understand and manage their security controls, view changes over time, and explore how scores break down across the business. A straightforward summary of your cybersecurity controls and initiatives allows you to report to a range of stakeholders, including non-technical audiences.

It can be hard to effectively translate cybersecurity concepts, risks, and metrics into the language of the business for non-technical audiences. The Scorecard is an effective way to do that, focusing on how cyber risk can impact the business and aligning cybersecurity strategies with organizational objectives.

Why CCM is important, according to Gartner

The Hype Cycle™ briefly outlines some of the challenges organizations are facing.

One of the biggest challenges is the increase in regulatory compliance. “The growing breadth and depth of security and compliance requirements are putting pressure on security and risk management leaders and IT operational teams involved in testing and reporting on cybersecurity controls’ effectiveness.” We’ve seen the same in discussions with our customers and prospects. New regulations such as the recent SEC regulations in the US and DORA in Europe, are putting pressure of accountability on executives and boards. As such, security leaders are feeling that pressure too.

Security controls assurance is increasingly important. “Increased attack surfaces, due to cloud adoption and new digital business, are making security assurance tasks even more arduous, error-prone, and incomplete than before. Many security organizations lack the capabilities to continuously monitor and measure their controls’ effectiveness. This lowers the value of those controls.” Simply put, security leaders can no longer get by on point-in-time audits for assurance that their security controls are working as intended. Automation is essential to continuous controls assurance.

The business impact of CCM, according to Gartner

The impact of CCM stems from automation and data science. According to Gartner, “CCM tools in cybersecurity help security and IT teams reduce the manual efforts for security control management, partially relieving staff burden and enabling them to focus on higher-value tasks and reducing costs. The tools also provide constant monitoring of security controls, allowing faster detection of potential threats and minimizing breaches and regulatory noncompliance, which prevents significant financial and reputational damage. They not only enhance a company’s cybersecurity posture but also build a more secure, successful business.”

This value is also highlighted by the key drivers. Gartner outlines how CCM’s automation can increase productivity and accuracy of reporting, especially for auditing purposes:

• “Increases security and IT operational teams’ productivity by testing more controls within a given time frame. This is valuable because organizations are facing growing security and compliance requirements in control effectiveness testing and reporting.”
• “Streamlines control testing and reduces audit management costs because evidence of control activities are collected automatically according to the designated standards and policies. This ensures that security and IT operational teams no longer have to scramble to gather evidence and evaluate controls right before an audit.”
• “Improves accuracy by using preconfigured dashboards and reporting to avoid human errors through ad hoc data exports, copy/paste and hunting files in dispersed locations.”

They also mention the importance of providing context and analysis metrics to prioritize which control gaps to fix first, as well as the confidence that controls are being managed in near-real-time:

• “Provides confidence that controls and gaps are being timely identified and actively managed, enhanced with real-time alerts based on specific risk thresholds. This is important because organizations require continuous visibility into the key control activities and regulations.”
• “Enables the prioritization of risk management communication and decision by providing context and analysis metrics.”

It’s worth noting that Gartner also highlights: “[CCM] Helps avoid fines and boosts business reputation in the eyes of regulators, customers and auditors, as the organization has readily available evidence of risk remediations, protection of valuable assets and an ability to meet its compliance obligation.”

The final word

We’ve been included in a number of Hype Cycles over the last few years (six in the last two years, for example, plus a whole lot more*), but it’s particularly gratifying to see that the category we helped create is continuing to flourish. Long may it continue!

Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner and Hype Cycle are a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

*List of Hype Cycle inclusions as of 8 August 2024

• Hype Cycle for Security Operations, 2024 – 29 July 2024
• Hype Cycle for Workload and Network Security, 2024 – 23 July 2024
• Hype Cycle for Cyber-Risk Management, 2024 – 22 July 2024
• Emerging Tech: Security — Successfully Bringing CAASM to Market – 26 July 2023
• Innovation Insight: Cybersecurity Continuous Control Monitoring – 17 May 2023
• Hype Cycle for Security Operations, 2023
• Hype Cycle for Workload and Network Security, 2023
• Hype Cycle for Cyber-Risk Management, 2023
• Hype Cycle for Security Operations, 2022
• Hype Cycle for Workload and Network Security, 2022
• Hype Cycle for Cyber-Risk Management, 2022
• Hype Cycle for Security Operations, 2021
• Hype Cycle for Network Security, 2021
• Hype Cycle for Risk Management, 2020
• Competitive Landscape: Integrated Risk Management – 06 December 2021
• Forecast Snapshot: User and Entity Behavior Analytics, Worldwide, 2017 – 03 March 2017
• Critical Capabilities for IT Risk Management – 11 August 2020
• Emerging Tech Impact Radar: Security – 16 November 2022
• Competitive Landscape: Integrated Risk Management – 18 December 2019
• Competitive Landscape: Integrated Risk Management Solutions – 12 April 2018