While the cybersecurity landscape is bound to undergo multiple changes throughout 2022, much of what will happen over the next 12 months will be based on a series of decisions and security incidents that occurred in 2021.
In May, as part of a response to the 2020 disclosure that nation-state actors had targeted SolarWinds and customers of the company’s Orion network monitoring platform, President Joe Biden signed a sweeping presidential executive order related to cybersecurity. This order will fundamentally alter how the federal government approaches security, as well as how departments evaluate and purchase software and other technologies from third-party suppliers.
Besides SolarWinds, a series of high-profile ransomware attacks has spurred Congress to consider several bills that seek to strengthen the rules of how and when organizations should report these attacks. At the same time, lawmakers have pushed to implement greater privacy protections for citizens’ data at both the state and federal level.
During all this, the stubborn COVID-19 pandemic has remained, with variants (first Delta and now Omicron) continuing to cause concern among employers—and guaranteeing that remote and hybrid work is likely to remain a fixture well into 2022. This also means the security and IT challenges of the last 24 months will continue into the new year.
“Then 2021—and reality—set in: the Delta variant spread, lockdowns reappeared, and employees flirted with heading back to the office ... only to join remote meetings from home just like before,” according to a recent Forrester analysis that looked at how cybersecurity issues are developing for the new year. “Relationships, collaboration, and trust will dominate 2022, and gaps in those areas will have outsized impacts on firms’ relationships with their colleagues, partners, and suppliers.”
With this evolving security landscape, the next 12 months are expected to bring additional changes for organizations’ cybersecurity practices, especially as better technologies and more modern practices become standard. Here are four trends that IT and security pros should watch as 2022 comes into focus.
Zero Trust Comes of Age
Several security analysts believe that 2022 is the year when more organizations will apply the principles of zero trust to their security plans as a way to reinforce principles of least privilege and defense-in-depth. This, in turn, can limit the number of breaches and reduce lateral movement by attackers if they do manage to bypass initial security tools.
The Biden executive order is also pushing federal agencies to adopt zero trust architecture as well to counter ransomware and attacks by nation-state groups looking to conduct espionage or steal data.
“Companies are looking for ways to reduce the risks from cyberattacks, and accept that security must become a living system within the business rather than the old legacy static approach,” Joseph Carson, chief security scientist and advisory CISO at security firm ThycoticCentrify, recently told Dice. “In 2022, zero trust can help organizations establish a baseline for security controls that need to be repeated and force cybercriminals into taking more risks. That results in cybercriminals making more noise that ultimately gives cyber defenders a chance to detect attackers early and prevent catastrophic attacks.”
Osterman Research and security firm Symmetry Systems recently conducted a survey of 125 IT and security professionals in which 50 percent reported that ransomware was a significant factor in investing in zero trust in 2022. Others also noted that the continuing reliance on remote and hybrid workforces is another reason to apply zero trust principles.
“Focusing on zero trust for data will be critical to combating high-profile ransomware incidents and security issues resulting from the hybrid or completely remote workforces,” Martijn Loderus, vice president of solution engineering and delivery at Symmetry, told Dice. “In the coming year, we can anticipate that organizations will seek cybersecurity measures that harden their defenses against future threats. The recent escalation in ransomware attacks and data leaks has forced business leaders to expect that involvement in a breach is high.”
Another reason 2022 is likely to be a big year for zero trust adoption is the increasing amount of Internet of Things (IoT) and connected devices added to networks, increasing the attack surface and giving attackers multiple entry points into an organization’s infrastructure, said Bud Broomhead, CEO at security firm Viakoo.
“Zero trust will expand in tandem with automation of security processes for IoT security as organizations take more extensive steps to secure that traditionally neglected attack surface,” Broomhead told Dice. “Zero trust must extend to IoT devices because that is where cyber threats are; this requires the ability to deploy and manage certificates on devices that were not designed with certificates or zero trust in mind.”
Fight for Talent
The Great Resignation has come for the cybersecurity field. The continuing availability of remote work at many organizations is allowing talented cybersecurity professionals to work from anywhere and also explore different avenues for their talent. This has made attracting qualified workers difficult for many companies, said John Hellickson, cyber executive advisor at consulting firm Coalfire.
“This industry-wide ability to work from anywhere has created an opportunity for employees to work for new companies they would have previously had to relocate for, while also getting larger-than-average salary increases. Many organizations have already seen higher than normal attrition, often providing limited counteroffers that can't even match the departing employee's offer-in-hand,” Hellickson told Dice.
“This will favor companies with larger operational budgets who are in cities that have an unmet demand for top cybersecurity talent,” Hellickson added. “Conversely, it will most certainly make it challenging for those smaller organizations that operate with limited budgets who can only offer mediocre merit increases that don't keep up with inflation, likely creating a surge for outsourced cybersecurity services.”
The Forrester analysis also noted that this “brain drain” in cybersecurity is likely to continue, with stress and long hours forcing many out of the field. “Our 2021 data shows that 51% of cybersecurity professionals experienced extreme stress or burnout, with 65% saying they had considered leaving their job because of job stress, combined with poor financial incentives and limited promotion and development opportunities,” the report noted. “To prevent this, CISOs must reduce team burnout, create development opportunities, and maintain a good culture.”
Build Secure Software Better
With prompting from the Biden executive order, some security experts are expecting to see a greater push to incorporate better security practices into new code.
While this practice of “shift left” has been around for several years, the way adversaries have taken greater advantage of software flaws is likely to force developers to adopt more secure ways of developing code in 2022, with security taking a greater role in the DevOps process, said Michael Isbitski, technical evangelist at Salt Security, who added that API development (for example) needs a better security approach.
“In 2022, more organizations will realize that the only way to truly secure APIs from increasingly complex and advanced cyber attacks is to embrace holistic processes and a full life cycle focus,” Isbitski told Dice. “This mindset requires a shift away from the desire to test all code with scanning tools that already struggle to provide adequate code coverage and leave business logic unaddressed. The mindset shift requires that practitioners account for an organization’s unique business logic in application source code as well as misconfigurations or mis-implementations of infrastructure that lead to API vulnerabilities and API abuse.”
Cyber Insurance: Now a Must
Analysts are also predicting a boom in the cyber insurance industry over the next year, especially as organizations look to push some of the risks back onto third-party providers in the wake of SolarWinds and other attacks that took advantage of weak security in the supply chain. This means that service-level agreements will contain language that pertains specifically to certain cybersecurity practices.
“Before signing new and renewing existing suppliers, organizations will demand policies embedded in their contracts stipulating that the partner assumes the risk of an intruder jumping from the partner’s to the organization’s environment,” the Forrester analysts noted. “Smaller policies reduce exposure for cyber insurers, while also reducing the policyholder’s risk of working with new and existing suppliers with varying cybersecurity postures.”