FEATURED STORY OF THE WEEK
What Gartner’s 2022 Security Risk Predictions Mean for Your Business
An unprecedented 30 billion records were exposed in data breaches in 2020, driven in part by ongoing disruptions caused by COVID-19 that continued the following year. Today, the threats to modern industries and supply chains are only growing as new and more frequent attacks are on the horizon, according to recent findings from leading cybersecurity publications.
“Supply chain attacks, misinformation campaigns, mobile malware and larger scale data breaches are just some of the threats to watch for [in 2022],” says TechRepublic, where “Cyberattacks no longer just impact the targeted organization but often have a ripple effect that harms partners, providers, customers and others along the supply chain.”
As 2022 begins, the most recent thought leadership on cybersecurity trends are emerging from Gartner. Among other predictions, Gartner anticipates an evolution of cybersecurity characterized by vendor consolidation, more holistic security strategies that incorporate human elements more deliberately, and a “move beyond cybersecurity and into organizational resilience to account for broader security environments,” as described in their October 2021 article.
But how can companies of all sizes achieve the “organizational resilience” they need to operate safely in modern technology ecosystems? Here we synthesize the latest findings from Gartner, Forrester, and other publications and provide recommendations so you can proactively prepare for upcoming cybersecurity threats.
2021 in Review: The State of Threats and Defense
By October 2021, the rate of daily cyberattacks had grown to about 2,200, Security Magazine reports. Cybercriminals took advantage of COVID-19 disruptions—especially organizations’ shift to hybrid work models, which left many exposed to ransomware—resulting in dozens of high-profile losses as well as thousands of lesser-known events.
“Over the past two years, the typical enterprise has been turned inside out,” says Peter Firstbrook, VP Analyst at Gartner in November 2021. “As the new normal of hybrid work takes shape, all organizations will need an always-connected defensive posture and clarity on what business risks remote users elevate to remain secure.”
In addition to knowledge workers accessing corporate networks from remote locations, digital assets are increasingly located outside of traditional enterprise infrastructure as well. These shifts add business agility, but expose new vulnerabilities so that a traditional perimeter defense approach is no longer sufficient; “identity-first security” takes on new precedence instead.
The convergence of digital services introduces new opportunities a well as cybersecurity vulnerabilities, where APIs each represent a “machine identity” that need to be authenticated. Cybersecurity experts and business users must both change their perspective on security as a result, focusing and building awareness of entity authentication as a new imperative.
Even so, security awareness and training (SA&T) has lagged in terms of its sophistication, failing in many cases to evolve to accommodate these new types of dangers. “The [SA&T] market is full of legacy vendors whose offerings are out of date and out of touch with users,” explained Forrester in November 2021, where these models often lack compelling methods for business user engagement and proactive learning.
A growing diversity of threats in combination with proliferating vendors of dedicated cybersecurity solutions is driving security teams to consolidate vendors into single, holistic solutions instead. “Most organizations recognize vendor consolidation as an avenue for more efficient security, with 80% executing or interested in a strategy for this,” Gartner described in November 2021. Although successful consolidation of this kind may take years, “more streamlined operations and reduced risk are often more achievable” as a result.
Fortunately, there are only a few major concepts to keep in mind as you and your security teams begin conversations about your own information security transformation in 2022. Here are five trends and insights you can use to build security, resiliency, and confident within your organization.
Trend #1: A Shift to Mesh Architecture to Protect Hybrid Workforces
Hybrid work models whereby large portions of a workforce work remotely some or all of the time are becoming a permanent fixture across industries, “with more than 75% of knowledge workers expecting future hybrid work environments,” Gartner reported in November 2021. Although this shift caused major security issues in 2020 and 2021, security teams at leading enterprise are “rebooting” their security approaches, in many cases with mesh architectures.
In their October 2021 article, Gartner predicts organizations that have adopted cybersecurity mesh architectures will reduce the financial impact of security incidents by 80% on average by 2024. These architectures feature distributed network security measured focused on protecting human and machine “identities” rather than taking a traditional, “network perimeter” approach.
Trend #2: Alignment of Security with Products and Business Decision Making
Business leaders will rightly perceive security as a “revenue driver” rather than a cost center, and align security initiatives with the development of key lines of business accordingly. Security will therefore play a primary, active role in the development of new products and business initiatives rather than a secondary, “defensive” role.
Security will be integral to everyday business processes as well, not just as a gateway at users’ or machines’ points of entry. “Privacy-enhancing computation techniques that protect data while it’s being used—as opposed to while it’s at rest or in motion—enable secure data processing, sharing, cross-border transfers and analytics, even in untrusted environments,” as Gartner described in November 2021.
Trend #3: Prioritization of Cybersecurity within Executive Decision Making
As businesses come to terms with the potential financial, customer trust, and public relations costs of modern cyberattacks, they will increasingly include cybersecurity concerns in board-level discussions. “By 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member,” Gartner predicts in their October 2021 article.
Cybersecurity oversight will become stricter as a result. Team leaders and employees can expect more regular cybersecurity audits and trainings. Leading organizations will provide user-friendly resources and support, and ensure individual security best practices become a welcome, practical function of employees’ everyday responsibilities.
Trend #4: Increases in High-Impact Supply Chain Attacks
Supply chain attacks are growing as criminals acknowledge them as high-impact targets. Indeed, as we’ve learned in 2020 and 2021, supply chain disruptions resonate across industries; supply chains are vulnerable to just about any kind of attack as well, where partner networks can have any number of data breach, malware, or ransomware exposures.
In addition to ramping up identity-based security measure in partner ecosystems, companies will increasingly choose their supply chain partners based on the quality of their security. “By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements,” reports Gartner in their October 2021 article, where even investors will look to companies’ supply chain security as they consider investment opportunities.
Trend #5: New Adaptive Strategies and Training Methods
Both company leaders and security teams will begin to perceive security as an adaptive aspect of business. Security leaders will increasingly approach security strategy based on “measured human risk” through analysis of actual employee behavior rather than testing or quizzing employees. “This gives CISOs invaluable data about the risky behaviors they need to manage, allowing them to focus training resources or uplift security capabilities if required,” as Forrester described in November 2021.
Security audits and penetration tests (i.e., “pen tests”) will become more common, increasing in frequency from an annual to a quarterly basis. Audits will increasingly involve the participation of supply chain and other partners, including third-party security consultants and experts who deliver unique expertise unavailable among internal security teams.
Conclusion: Identity on the Front Line
“Human risk quantification… is a security-program imperative,” claims Forrester. Indeed, security leaders must reconceptualize cybersecurity measures to focus on individual users, applications, and machines as bad actors’ points of entry. But changing individual behaviors requires a willingness among senior leaders to implement top-down cultural and training initiatives.
Uvation Can Help You Transform Your Security Environment
Uvation helps enterprise leaders across the globe as they optimize their security environments, consolidate vendor solutions, and move to change their internal culture to face future security challenges. Contact one of our security experts to learn more.