New Year, New Trends: 2022 Cybersecurity Predictions
And just like that, 2021 has come to a close. We started with SolarWinds and ended with Log4j… cyber adversaries certainly know how to keep us on our toes. In between, Microsoft Exchange, the Florida water plant, JBS, CNA Financial, Kaseya, EA, Colonial Pipeline, among other breach targets made headlines and shook up the security industry.
Each of these pivotal moments may have brought fear, uncertainty, and doubt, but with that also came innovation, a sense of community, and lessons learned. If there’s one thing to take away from the past year, it’s to always reflect on and learn from your experiences – good or bad.
In the name of reflection and moving forward, three NetSPI thought leaders, Travis Hoyt (CTO), Nabil Hannan (Managing Director), and Florindo Gallicchio (Head of Strategic Solutions) came together on a live panel to discuss their cybersecurity predictions for 2022.
Pulling from their decades of experience and daily conversations with some of the most prominent organizations across the globe. They tackled highly debated topics of 2021, from budgets to application security to ransomware. Continue reading to find out what they’re anticipating in the new year.
2022 cybersecurity budgets are going to rebound significantly
“Throughout my career, budgeting has always been a challenge. In 2020 and 2021, security budgets had suffered a pretty big hit primarily due to companies allocating that money to work from home technologies, digital transformation, and business continuity amid the pandemic. And we’re beginning to see those budgets rebound.
While we were cooped up in our houses and locked down at the beginning of the pandemic, the bad guys were not, and they kept busy uncovering egregious vulnerabilities to exploit. We noticed now that there’s a game of catch up is being played and budgets are being allocated, or re-allocated, back to cybersecurity, penetration testing in particular.” – Florindo Gallicchio, Head of Strategic Solutions, NetSPI
CFOs will have more skin in the security game
“For too long, companies have taken a reactionary approach to ransomware attacks – opting to pay, or not pay, after the damage has already been caused. I expect to see CFOs prioritizing conversations surrounding ransomware and cyber insurance within 2022 planning and budgetary meetings to develop a playbook that overalls all potential ransomware situations and a corresponding strategy to mitigate both damage and corporate spend. If they don’t lead with proactivity and continue to take a laggard approach to ransomware and cyber insurance, they are leaving their companies at risk for both a serious attack and lost corporate funds. At mature organizations, CFOs are starting to understand that they’ve got a lot more skin in the game.” – Travis Hoyt, Chief Technology Officer, NetSPI
Cybersecurity insurers will ask deeper, more technical questions
“There’s currently a lack of willingness to underwrite cybersecurity policies. The market is cracking down and underwriters are asking tougher questions. Cybersecurity is not just a line item in a budget, it’s not just a percentage of spend against it, it has much more material impact to the business. As you look at the mitigations and activities that you’ll need to do with respect to understanding what you have in your environment, your exposures, your vulnerabilities – attack surface management, penetration testing – you’ll also need to look at your control posture. How are your teams responding to incursions? What kind of breach and attack simulation activities are you pursuing? These are the items that underwriters are going to curious about. It’s a much deeper, much more technical set of questions than I have seen them ask historically, and I think it represents the evolution of the market.” – Travis Hoyt, Chief Technology Officer, NetSPI
More organizations will focus on risk in cybersecurity budgeting discussions
“We’ve noticed a heightened focus on a risk approach or risk justification for budgets, over compliance, check-the-box approaches we’ve seen in the past. Companies are starting to build budget justifications based on risk to the business. In fact, we are seeing more clients take a risk-based approach to cybersecurity spend than before.” – Florindo Gallicchio, Head of Strategic Solutions, NetSPI
2022 is the year of API security
“Watching application security, in conjunction with software development, evolve over the last 15 years, we’ve seen a significantly large uptick in API based architectures. I’m predicting 2022 is going to be the year of the API, where organizations will become serious about securing their APIs.
The Log4j issue arises from a bad habit that software development has fallen into: reusing components without fully understanding the implications. We’re also building software with very small bite-sized components that interact with your web applications, your mobile applications, your thermostat at home, your smart car, and other things we rely heavily on. API security is going to get a lot more attention now because organizations are starting to realize how heavily dependent they are on this type of architecture. And you have to be dependent on this type of architecture if you truly want to build systems that are robust and scalable. I expect that API security will become one of the top priorities in the application security space this year.” – Nabil Hannan, Managing Director, NetSPI
The concept of ‘shift left’ will transform into ‘shift everywhere’
“Shift left is a great thought process, and we need to continue doing that. But we also have to start focusing on shifting right. We need to shift everywhere. Thinking of application security holistically will enable you to protect your organization and protect your systems.
Look at technologies beyond web firewalls. Start looking at the viability of RASP solutions. In certain scenarios, start thinking of how to integrate IAST into the QA testing process. All of these activities need to work together. The Log4j issue has highlighted the need to shift right. We need to learn from it and determine the right approach to protect our organizations for the next big vulnerability that comes up.” – Nabil Hannan, Managing Director, NetSPI
SaaS security posture management (SSPM) will be prioritized in 2022
“As organizations continue to become more reliant on SaaS technologies to enable digital transformation efforts, the security perimeter has expanded. Organizations now face a new source of cybersecurity risk as cybercriminals look to exploit misconfigurations or vulnerabilities in these SaaS technologies to wage costly attacks. In 2022, we can expect that organizations will become more focused on SaaS posture management and ensuring that their SaaS footprint is not left open as a vector for cyberattacks. This trend will be further accelerated by the insistence of insurance providers that organizations have a detailed understanding of their SaaS deployments and configurations or face higher premiums or even a refusal of insurance altogether.” – Travis Hoyt, Chief Technology Officer, NetSPI
The blockchain security space will grow in awareness and acumen
Blockchain is an interesting space on the currency and finance side. But what we’re actually seeing is that there are a lot of people that are interested in the underlying technology, the distributed ledger technology. There are a lot of organizations, or consortiums, that are starting to leverage this technology to solve a variety of problems that allow them to interact in ways that perhaps they would not have been able to do – or do efficiently – in the past.
It’s one of those things that security teams are going to have to start paying attention to. While there are overlaps with respect to the security testing methodologies, there are some unique differences that will change your operating and security processes, especially when you’re deploying them in a distributed fashion. My prediction is that we will see the blockchain security space start to grow in 2022.
It’s going to be a very compelling and interesting story. The acumen for attacking this technology by threat actors is already well cultivated. What we don’t have is the same measure of acumen cultivation by the defenders. My call to action is, if this technology is going to be in play in your space, then you need to make sure that your teams understand how it operates, where it’s unique, how it’s unique, and what you need to defend it effectively and get that acumen development in place.” – Travis Hoyt, Chief Technology Officer, NetSPI
Company culture could solve the cybersecurity hiring crisis
“It’s no secret that cybersecurity, like many industries, is facing a hiring crisis. The Great Resignation we’re seeing across the country has underscored a growing trend spurred by the COVID-19 pandemic: employees will leave their company if it cannot effectively meet their needs or fit into their lifestyle. From a retention perspective, I expect to see department heads fostering a culture that’s built on principles like performance, accountability, caring, communication, and collaboration. Once this team-based viewpoint is established, employees will take greater pride in their work, producing positive results for their teams, the company and themselves – ultimately driving positive retention rates across the organization.” – Charles Horton, Chief Operations Officer, NetSPI [note: Charles was unable to attend the webinar, Nabil shared this prediction on his behalf]
The Skills Shortage Will Continue Until Hiring Practices Change
“In 2022 the cybersecurity skills gap will persist, but organizations that take a realistic approach to cybersecurity hiring and make a commitment to building cybersecurity talent from the ground up will find the most success in addressing it. The focus in closing the skills gap often relies on educating a new generation of cybersecurity professionals through universities and trade programs, and generally encouraging more interest in young professionals joining the field. In reality, these programs will only have limited success. The real culprit behind the skills gap is that organizations often maintain unrealistic hiring practices, with cybersecurity degrees and certification holders often finding untenable job requirements such as 3+ years of experience for an entry level job.” – Nabil Hannan, Managing Director, NetSPI