Security priorities for 2022: Advancement, not revolution

Security leaders are pushing ahead with holistic strategies heading into 2022, with a list of priorities that support enterprise resiliency.

Although CISOs surveyed by CSO for our annual Security Priorities Study, indicated a number of initiatives they’re planning to undertake in the upcoming months, they also say they’re not focused on beefing up any single tool nor relying on any one approach.

Rather, their priorities reflect the evolution of the security function that today must be a collection of interdependent policies, procedures, and technology capabilities that work together to counter the specific risks and threats faced by the CISO’s own organization.

Moreover, they say their priorities reflect security needs due to recent shifts in their organization’s IT and business environments, a changing threat landscape, and emerging risks.

In short, CISOs say their priorities for 2022 are all about keeping pace, and getting better.

Landscape changes shift priorities

There’s more going to the cloud. IT is decoupling applications from the data layer. CIOs are moving to more composable architecture. And they’re accelerating their digital initiatives.

“And the other reality here is we’ve been on this work-from-home journey for two years, so the perimeter is now at the farthest end of where workers want to work, and this state of insecurity we have been managing for the past two years will continue,” says Liz Miller, vice president and principal analyst at Constellation Research.

IDG

At the same time, CISOs need to be working on their own staff, too. “The concept of this Great Resignation is real, and it’s really ugly when it comes to security. People are leaving security because they’re burned out. That’s going to be even harder to manage in 2022,” Miller says.

“The question now for CISOs is: How do we manage all that? How do we run smart, so secure and fast are achievable?” Miller asks.

Darrell Keeling, vice president of information security and HIPAA security officer for Parkview Health, has some ideas.

Like other security chiefs, Keeling has seen the threat landscape evolve during his tenure.

For example, he has seen hackers increasingly target healthcare institutions with ransomware attacks. At the same time, organizations, including his own, have become more digital with growing cloud environments—moves that have vastly expanded the attack surface and practically eliminated the idea of a perimeter.

Keeling says his priority is to mature security to match both the evolving technology stack and the threats coming at it.

He says that involves simplifying his security stack, moving from a large collection of best-of-breed solutions from multiple vendors to one relying heavily on Microsoft security solutions. (Parkview Health IT is mainly a Microsoft shop using Azure cloud.) He says simplifying the security stack will create more effective and efficient security operations, with easer integrations and fewer added costs.

As part of that move, Keeling plans to focus on staff training to get more of his team Microsoft certified.

Other 2022 priorities for Keeling include implementing more intelligence, behavior analytics software, and cloud security technologies; building a threat hunting capability; and shoring up his third-party risk management program.

CISO priorities drive interest in tools, technologies

The Security Priorities Study confirmed that CISOs are continuing to invest in technologies, with 90% saying their organizations added at least one security tool in the past 12 months.

The list of technologies that CISOs are prioritizing also reflect their increasingly integrated approach to security.

IDG

Case in point: Cloud data protection technologies top the priority list, with 87% of CISOs either studying, piloting, using or upgrading their use of them.

In a related finding, 88% of CISOs are prioritizing cloud-based cybersecurity services.

Data access governance technologies also tops the CISO priorities list, as does zero trust, with 84% indicating that zero trust is a priority for them.

Behavior monitoring and analysis is another big priority, with 82% saying they’re studying, piloting, using, or upgrading their use of them.

CISOs also indicated high interest or use of security orchestration, automation and response (SOAR) technologies, with 77% of CISOs either studying, piloting, using or upgrading their use.

IDG

Such figures don’t surprise security analysts and researchers. They say such technologies are needed to defend environments that have rapidly changed in the past few years as organizations invested more in cloud computing to enable digital transformation and access from anywhere.

“The cloud is really the centerpiece of security,” says Andrew Plato, CEO of the consulting firm Zenaciti and a cybersecurity analyst with The Analyst Syndicate. (He notes that he sees CISOs particularly interested in cloud security posture management platforms that give them a holistic view and enable security across their multiple cloud deployments.)

Kevin F. Brown’s priorities for the upcoming year are representative of such trends.

Brown, senior vice president and CISO for Science Applications International Corp. (SAIC), said his top priorities are talent recruitment and retention; business continuity and resiliency; zero trust for network, cloud, and data; and business enablement.

“Cybersecurity talent continues to be in high demand and short supply, particularly in building diverse and inclusive teams which is essential. Ransomware continues to be a top threat across industry both from a denial of business impact, but also from an increasing data exfiltration aspect. Apart from protection capabilities, resiliency and recovery plans need to be in place,” he explains.

He continues: “Zero trust principles need to be in place not only for traditional network security but also as a strategy for the ever expanding perimeter of the user and cloud in particular, as well as the protection and integrity of crucial data.

“While maybe a bit all encompassing, enabling the business is a top priority, whether it be through providing secure business solutions, mitigating risks, promoting security-by-design concepts, etc.,” he concludes.

Priorities support continuous security program improvements

Despite the importance of each priority item for 2022, Brown says none of them is a new priority; they’re all a continuation of what he’s been working on.

That, too, reflects the overall state of cybersecurity programs for CISOs, Plato says, noting that 2022 will be about advancement, not revolution.

“Will there be some cool tech that revolutionizes everything? Probably not. But the pieces to do all that [CISOs must] are already there,” he adds.

Some 67% of respondents said their organization is increasing its focus on improving the utilization and/or resourcing of their security services, and 62% said they have a process for ongoing evaluation of the effectiveness of their security solutions and services that it owns or accesses through vendor contracts.

Shawn M. Bowen, vice president of information security for World Fuel Services, says his overarching objective is continuous improvement of the security function—a goal that’s driving his work for the upcoming year.

For example, he’s seeking to sharpen his ability to design security policies, procedures and controls tailored to his company’s own identified risks and threats.

“I want to evolve beyond a framework maturity model to being a risk-based security operation,” he says. “So rather than building security off a framework and providing standard services, our goal is to focus on our enterprise risk management program.”

To that end, he is working with his business colleagues to understand, articulate, and prioritize the risks and threats within their particular functional areas so that security can truly align its resources to defending against them.

Furthermore, Bowen wants to get the business more engaged in the security’s enterprise risk management approach. He plans to use that engagement to then develop appropriate threat modeling for each of their products and services so he can tailor security offerings to those specific threats.

He also wants to create ways to measure progress based on how well security improves its performance in delivering services in those areas.

Challenges for 2022

CISOs indicate that they face plenty of challenges in achieving their objectives in the year ahead.

According to the Security Priorities Study, CISOs said that the top reason for their organization falling short in addressing cyber risk is difficulty convincing all or parts their organization about the severity of the risks they face. Some 30% indicated that this is an issue.

Nearly as many (29%) indicated that inadequate resources are at play, while 27% cited the inability to be adequately proactive in their security strategy.

Other top reasons for falling short in addressing cyber risk include struggles in recruiting and retaining professional expertise; failing to always address security requirements during application development; and inadequate security training for users.

Although acknowledging those as significant challenges, analysts point out that many of the CISO priorities will help them push back on these very issues.

They note, for instance, that focusing on incident response, particularly when tailored to business risks and combined with business enablement and resiliency, engender more business support for security initiatives.

Meanwhile, adding more data protection technologies, cloud security tools, and solutions supporting zero trust and SOAR help embed security into more of the core technology stack, rather than making it a bolt-on service.

And CISOs who add automation capabilities as part of those technology deployments help ease the challenges that come from having too few security staffers and the occasional user-side security slip-ups.

Michael Ibarra, CISO of Symbridge Holdings LLC has many of the same priorities for 2022 that other security leaders list and sees them as key to a holistic security strategy.

IDG

He’s working to strengthen his company’s data privacy protections as well as its vendor risk management practices.

He’s focusing on API security and digital identity, both necessary for the growing cloud environments that CISOs must secure in this modern digital era.

He’s fortifying defenses against breaches, studying particularly how best to mitigate and prevent state-sponsored cyberattacks.

He’s working to tie security plans into the company’s technology change control process so that security evolves as quickly as IT and studying bleeding-edge technologies that could deliver value.

And he’ll extend his efforts to recruit and retain talent, partly by ensuring he’s offering the right training and skills advancement.

Ibarra says they work together to create cyber resiliency.

“We always stay focused on delivering a safe and secure platform, and one of our top priorities is always to minimize risk,” he says, “but prioritizing resiliency allows us to prepare for the unknown.”