CISOs: Seven Cybersecurity Trends for Strategy DevelopmentBy Cinthya Alaniz Salazar | Tue, 09/20/2022 - 15:35
The unbounded expansion and reconfiguration of companies’ digital architectures are at the center of this year’s top cybersecurity trends, according to Gartner. This transformation has made a centralized approach to cybersecurity control obsolete, demanding in turn active strategy development on behalf of Chief Information Security Officers (CISO). Outlined below are the seven top trends in Cybersecurity for 2022.
“These disruptions do not exist in isolation; they have a compound effect,” said Peter Firstbrook, VP Analyst, Gartner. “To address the risks, CISOs need to transition their roles from technologists who prevent breaches to corporate strategists who manage cyber risk.”
Companies’ networks have become increasingly disaggregated with the addition of cloud, edge and data center technologies; an evolution that has only begun and will continue to respond to emerging technologies and influence the development of cybersecurity controls. While necessary, this transformation introduced multiple cybersecurity risks to organizations that have incurred billions in disruptions and damages. Mitigating these risks has become a central priority for companies and, while they have made progress, cybercriminals have been working at pace to circumvent new security controls.
To stay ahead of cybercriminals, CISOs who understand the flowing trends will be better equipped to curb new threats and fortify strategy development.
No. 1: Attack Surface Expansion
The migration toward remote work, cloud services, highly connected supply chains and cyber-physical systems has increased the attack surface of organizations, making them more vulnerable to attacks. This places larger organizations, with grander digital infrastructures, at a disproportionate disadvantage. Gartner recommends security executives to look beyond legacy risk management solutions and include monitoring, detection and response mechanisms to curb unintended vulnerabilities.
“The infrastructures of SMEs and large corporations are inherently different. Large corporations have a much larger attack surface compared to small businesses; therefore, security measures should be proportional to the risk-level and size of the company,” Adriel Araujo, CEO, Hackmetrix, told MBN.
No. 2: Identity System Defense
The theft and misuse of credentials has become a favored pain vector among cybercriminals, now representing the primary method attackers use to access systems to achieve their goals. Human-error is responsible for the greatest share of data breaches, a risk that can be easily circumvented with cybersecurity educational training and protocols. Gartner anticipates the emergence of consolidated identity verifying solutions to combat this problem.
“In the past, we used to talk about securing the perimeter of a company network. Now, we speak of securing the identity of users. Digital hygiene, meaning adequate employee behavior, is essential for maintaining cybersecurity,” said Jesus Navarro, CEO, Data Warden, told MBN.
No. 3: Digital Supply Chain Risk
Disruptions to the global supply chain amid COVID-19 forced companies to make concerted efforts to digitalize their supply chains. An industrial consensus that has inadvertently made the digital supply chain rely on platforms that have become “unsung core components holding up” digital operations, said Firstbrook. Underlying vulnerabilities stemmed from third-party applications have made accountability, and therefore security, much more difficult.
“Gartner predicts that by 2025, 45 percent of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021,” reads the press release.
No. 4: Vendor Consolidation
In an increasingly saturated security market, vendors have begun to consolidate security products onto single platforms to offer packaged, price-competitive solutions to differentiate themselves. While Gartner welcomes the trend, which is expected to reduce complexity and long-term costs, it may result in reduced negotiating power for CEOs and potential single points of failure.
“[C]onsolidation is not only a technological and vendor-based challenge, but an infrastructure challenge. When piecemeal solutions are selected and deployed from one vendor to the next, teams are trained up and put in place to manage those services and the ecosystem develops around them,” according to CheckPoint.
No. 5: Cybersecurity Mesh
Cybersecurity mesh is a contemporary enterprise-grade security architecture based on interoperability and coordination between individual security products, resulting in a more integrated security policy. It is a model expected to reduce the financial impact of individual security incidents by an average of 90 percent by 2024, according to Gartner.
“Keep in mind that the CSMA does not have to happen all at once. Organizations can add pieces to the architecture a few bricks at a time. As they choose new security tools, they can select those that adhere to an intercommunication philosophy,” said Joe Robertson, Director of IS and EMEA CISO, Fortinet.
No. 6: Distributed Decisions
C-suite executives rely on fast, agile cybersecurity functionality to support digital business priorities; however, as organizations become increasingly digital, the greater the need to diversify responsibility and decision-making. While CISOs will continue to set policy, relying on the visibility and know-how of cybersecurity leaders throughout the organization will fortify the overall security posture, according to Gartner.
“[W]ithout holistic support, cyber-security managers may be overwhelmed by the complexity of the system in which they operate; a good understanding of the underlying systemic structure may be a partial antidote to the use of fallacious decision strategies,” according to Zeijlemaker, Sander. et al. “Decision-Makers’ Understanding of Cyber-Security’s Systemic and Dynamic Complexity: Insights from a Board Game for Bank Manager” Systems 2022.
No. 7: Beyond Awareness
Human error continued to be at the center of most data breaches, indicating that traditional security awareness training is ineffective. The most “[p]rogressive organizations are moving beyond outdated compliance-based awareness campaigns and investing in holistic behavior and culture change programs designed to provoke more secure ways of working,” according to Gartner.