According to McKinsey, most enterprises have yet to reach the advanced levels of cybersecurity management that today’s business demands. Its recent survey uncovered the fact that only around 10% are looking at cyber risk reduction. The majority are reactionary, desperately looking to fill security holes as they arise.
This year will be an important one for CISOs to work closely with business leaders across the enterprise to get buy-in for security initiatives that are aligned with business objectives.
So, what will be the priorities in the CISO’s kit bag for 2022?
Strengthening supply chain security will be a priority
Over the past year, enterprises have become acutely aware of the fragility of their supply chains, spotlighted by high-profile attacks including SolarWinds and the Log4j vulnerability that put thousands of web applications at risk.
Forrester Research believes that 60% of security incidents this year will result from issues with third parties as cybercriminals search out low-hanging fruit among smaller vendors and suppliers.
To avoid being a statistic, Forrester maintains that companies must invest in people, processes and technology when it comes to risk management.
A zero trust approach is now critical
Cybercriminals are getting more clever both in the use of technology and business models. Ransomware-as-a-service cybercriminals are going to even greater lengths to get victims to pay up, including launching distributed denial of service (DDoS) attacks, emailing clients and even auctioning off stolen data. As a result, enterprises need to be one step ahead, which is where zero trust comes in.
Zero-trust is a security architecture that demands that all users operating inside or outside an enterprise’s network be authenticated, authorized and continuously validated to access both data and applications. This “need to know” approach secures remote workers and the hybrid cloud, reducing overall risk.
According to a recent report by the Ponemon Institute, enterprises that are effective at keeping up with the constantly changing threat landscape and closing down security gaps have implemented a Zero Trust Model.
CISOs can close several gaps that leave an enterprise’s data exposed and at risk by adopting a trust zone framework. Controlling access enables fast and easy containment of a compromised device. This is incredibly important when it comes to securing remote workers outside the traditional enterprise perimeter.
A landing zone is an essential build
By 2023, 75% of security failures will result from inadequate management of identities, access and privileges, up from 50% in 2020, according to Gartner. This is primarily due to a lack of visibility and control of access rights.
Building a strong foundation in the form of a landing zone is paramount. A landing zone is basically a configured environment incorporating a centrally-managed, standard, secured cloud infrastructure, policies, and best practices to provide ongoing operational and governance models. Its coverage includes cost optimization and performance efficiency as well as security and compliance, which we are concerned with here.
Deploying security and compliance policies across the cloud can be complex and a barrier to successful adoption. A well-designed landing zone will enable users to consume cloud resources quickly and securely. By automating these processes, it ensures workloads and data are protected as far as possible.
Privacy regulations are continuing to evolve
An avalanche of privacy regulations is expected this year, making the regulatory landscape increasingly complex. Enterprises will need to have robust governance and best practices in place if they are to stay inside the law.
Gartner predicts that by the end of 2023, modern privacy laws will embrace the personal data of 75% of the world’s population.
We have recently seen the introduction of two new privacy laws, for example: the state-wide California Consumer Privacy Act (CCPA) and nationwide The LGPD (Lei Geral de Proteção de Dados Pessoais) in Brazil. In Europe, legislation is queuing up, including the Data Governance Act, the Digital Services Act, and The Network and Information Security (NIS) Directive, the first piece of EU-wide legislation on cybersecurity.
The huge scope of these regulations means enterprises will need to be prepared to manage multiple data protection legislation in various jurisdictions. Gartner advises that enterprises automate privacy management systems, standardize security operations using GDPR as a base and adjust for individual jurisdictions.
The security talent drought is getting worse
The cybersecurity talent drought is set to get much worse with one in ten experienced professionals set to exit the industry this year, according to Forrester Research. This is down to stress and burnout over the past twelve months.
Talent availability is cited as a leading factor inhibiting the adoption of the latest security technologies, according to a Gartner survey of IT executives.
CISOs will need to monitor stress in teams and work on establishing a pipeline of talent. In the short term, enterprises will need to partner with security experts to protect their data and look at emerging technologies, such as AI and machine learning, to spot anomalies.
Assessments for cyber insurance are getting more rigorous
Cyber insurance will increase as an essential part of an enterprise’s holistic security and business strategy, especially considering recent high-profile hacks, including Kaseya, colonial pipeline and Microsoft Exchange hacks.
According to IDC, cybersecurity insurance policies increasingly require enterprises to undergo rigorous security assessments and surrender some of the control of an incident response process to providers. Premiums will become prohibitively expensive for enterprises that don’t have a robust security posture.
“Many organizations are turning to cybersecurity insurance policies to limit their financial losses in the event of a security incident that compromises sensitive information systems,” explains Mike Chapple, Research Analyst for IDC’s IT Executive Programs.
The threat landscape is only going to get bigger
The more connected we get, the bigger the threat landscape. At the same time, cybercriminals are getting more sophisticated with both their tools and entry methods.
Many current approaches to improving cybersecurity are falling short of providing appropriate and defensible levels of protection, according to Gartner. Enterprises need to kick off 2022 with a commitment to improving cybersecurity readiness by “treating it as a choice and a business decision.” This demands an outcome-driven approach, balancing investment and risks with business goals.
Would you like the bigger picture on the cybersecurity landscape? Download the Orange Cyberdefense Security Navigator 2022 report.
Jan has been writing about technology for over 22 years for magazines and web sites, including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.