Cybersecurity in 2022 and Beyond | The State of Security

It’s that time of year that the usual happens. Christmas crackers with bad jokes. Holiday specials on TV (constantly). And cyber specialists like me make predictions about the year to come. With the help of insights from Gartner and my own views on what we are likely to see in 2022, I think I can help you with a couple of these. Firstly, it’s worth knowing that Gartner’s predictions come from Gartner IT Symposium/Xpo Americas, which ran virtually in October 2021. Even from the title of the event, you know that attending this event will be like playing “buzz-word bingo”! (When does a conference become a symposium, anyway?)

The key theme of discussion this year was to explore the lessons learned from the ongoing disruption and uncertainty. On their page, Gartner states that they revealed their top strategic predictions for 2022 and beyond. These are:

• By 2024, 30% of corporate teams will be without a boss due to the self-directed and hybrid nature of work.
• By 2025, synthetic data will reduce personal customer data collection, avoiding 70% of privacy violation sanctions.
• By 2024, 80% of CIOs surveyed will list modular business redesign, through composability, as a top 5 reason for accelerated business performance.
• By 2025, 75% of companies will “break up” with poor-fit customers as the cost of retaining them eclipses good-fit customer acquisition costs. 
• By 2026, a 30% increase in developer talent across Africa will help transform IT into a world-leading start-up ecosystem, rivaling Asia in venture fund growth.
• By 2026, non-fungible token (NFT) gamification will propel an enterprise into the top 10 highest-valued companies.
• By 2027, low orbit satellites will extend internet coverage to an additional billion of the world’s poorest people, raising 50% of them out of poverty.
• By 2027, a quarter of the Fortune 20 companies will be supplanted by companies that neuromine and influence subconscious behavior at scale.
• By 2024, a cyberattack will so damage critical infrastructure that a member of the G20 will reciprocate with a declared physical attack.

These are certainly some interesting predictions, but are these the strategic issues that the majority of us are facing and should be worrying about? I believe there are other issues we should be considering, and therefore, I offer you just two predictions for 2022 which I believe we need to be focusing on right now.

By 2023, the Role of the CDO Will Become More Integral to Organizations

If you’ve not come across a CDO yet, you will. I believe in 2022 we will see the rise of the Chief Data Officer to prominence in the Board room as the value of data starts to become truly understood.

The CDO has a pivotal role in developing and accelerating a business’s use of data to become a truly data-driven organization. The CDO oversees a range of data-related functions to ensure an organization is getting the most from the data they control and/or process.

With a focus on business, the CDO understands the business’s objectives, strategy, and direction, but they focus on how to underpin that with data and use the data to achieve the organization’s objective.

They will work closely with the Chief Information Security Officer (CISO), but please don’t think this replaces the CISO, whose role is to strategically and tactically direct information security. 

Data is undoubtedly important to all organizations, but data alone is useless. It is how we apply and use data within an organization that gives it the value it has. This is why the core skills of a CDO will be business data analytics. Understanding data flows can make an organization more streamlined and efficient and ultimately more profitable by the appropriate (and legitimate) use of data.

Gartner predicts that 50% of chief digital officers without a Chief Data Officer (CDO) peer will need to become the de facto CDO to succeed. Therefore, you should be looking at your C-Suite now and asking who in the new business era do you need around the table. Do you have a CISO? Do you need a CDO?

If you think the CDO is a new role, think again. Capital One hired its first CDO in 2002, and organizations have been following in its footsteps ever since. If the importance of data is on the rise, then it makes sense that there is someone in the C-suite who is focused on it.

Third-Party Risks Rill Continue to Rise, and an Increase in the Need for Evidential Due Diligence Will Rise along with It

According to the 2021 Supply Chain Resilience Report from the Business Continuity Institute (BCI), nearly 28% of organizations surveyed reported 20 or more supply chain disruptions. It’s worth remembering that we are ALL suppliers, i.e., third parties, to someone, and we are all part of the supply chain, so it’s not a surprise to hear that executives are concerned with disruptions to the chain.

Of course, we can point to COVID as being a major contributor to supply chain disruption, but with attacks on SolarWinds, it’s clear to see that organizations need to be doing more to protect themselves against third party risks. As the BCI report states, there is a need for more comprehensive due diligence to be carried out pre-contract signing. As you might expect, the BCI report focuses on the need for due diligence around the business continuity capabilities of an organization, but this must also include contingency processes related to cyber attacks and data breaches.

Every organization should be looking at how suppliers are on-boarded, and they should put in place the right to audit the supplier. This due diligence should follow an agreed framework of risk assessing the supplier, then performing appropriate due diligence (commensurate to the risk). For example, you might not want the organization that tends your grounds to be certified to ISO27001, but the data center that houses your critical data should be. 

The time is right to start to focus on developing a robust Third Party Audit Review (TPAR) where you rank your third parties according to risk and then commit to completing an audit of them using questionnaires, interviews, and possibly site visits.

Remember that one of the largest breaches that took place in the USA in 2013 was against Target. The retailer was forced to pay customers an estimated $18 million in compensation on top of the huge financial costs of cleaning up the breach. How did it happen? Criminals used the stolen credentials from an HVAC company that supplied Target with maintenance for its heating, ventilation, and air conditioning systems.

Cybercriminals know that large organizations need the support of outside organizations, and they know that smaller organizations often can’t afford elaborate security (or ignore it due to ignorance of the risks). Unfortunately, this situation hasn’t improved much since 2013. This needs to change.

New Regulations and New Standards Will Put Pressure on Organizations’ Compliance Programs

We already know that in 2022, version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) is set for release. We also know that on 24^th January 2022, Cyber Essentials is being “revamped” and is being positioned as “the biggest overhaul of the scheme’s technical controls since it was launched in 2014.” It is also widely known that the international standard for Information Security, ISO27001:2013, is due for an update and is expected to be released in 2022. Of course, we also know that the UK Government has talked about new data protection laws that may come into effect over the next couple of years and that may move us away from European regulations (like the GDPR).

This will come as no surprise to anyone operating in a Governance, Risk, and Compliance (GRC) role, but it may be a shock to the system (literally) to many others. Compliance officers will once again be in high demand, and being able to demonstrate (evidence) compliance to the standards will become increasingly important.

Therefore, it is advisable to start thinking about what compliance looks like for your organization by employing GRC processes and programs so that you aren’t simply focusing on one aspect of data protection and cyber security. Using a mixture of technical and organizational controls and systems will ensure that you are aware of these changes that are coming our way.

Conclusion

There is no such thing as the perfect plan, and many believe the future is unpredictable. However, if this were true, we wouldn’t have weather forecasts, and we wouldn’t have the list above along with the countless lists by other cybersecurity specialists and specialist companies.

The future is predictable (to some extent) by looking at the past and making some basic assumptions about what the future may hold for us. The time is right to take stock of what has gone before and make some reasonable assumptions and predictions about what our future holds, for there is no doubt that change is coming.

Finally, we would all do well to remember the words of Ebenezer Scrooge in A Christmas Carol when he met the Ghost of Christmas yet to come: “I fear you more than any specter I have seen. But as I know your purpose is to do me good, and as I hope to live to be another man from what I was, I am prepared to bear you company and do it with a thankful heart.”

We can’t fear the future, so we must perform our own horizon scanning and see what that future might look like to us less we suffer the fate of repeating past mistakes and errors.

Good luck.

About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology.

You can follow Gary on Twitter here: @AgenciGary

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.