How can cybersecurity and risk leaders best predict and plan for 2022? Sometimes, the right answers surface from asking the right questions. So what’s a key question for 2022?
It’s about customers, of course: “How do we make sure our consumers aren’t physically harmed by rogue agents?” is a good place to start, according to researcher Gartner. “That's the kind of question security and risk leaders need to predict and plan for in the future.”
- The upshot: A focus on privacy laws, ransomware attacks, cyber-physical systems and board-level scrutiny are driving the priorities of security and risk leaders. For 2022, Gartner predicts more decentralization, regulation, and safety implications over the next few years.
- The impact on MSSPs: Gartner’s predictions serve as a roadmap for MSSPs on the most important questions customers will be asking them to address in the near and long term.
Gartner’s top eight predictions and issues for 2022 and beyond
1. By the end of 2023, privacy laws will cover the personal information of 75 percent of the world’s population. With wide sweeping privacy laws, (e.g. the EU’s General Data Protection Regulation and California’s Consumer Privacy Act) companies will juggle multiple data protection laws. As a result, organizations will need to focus on automating privacy management systems.
2. By 2024, organizations adopting a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90 percent. Cybersecurity mesh extends to cover identities outside the traditional security perimeter, creates a holistic view of the organization and improves security for remote work. These demands will drive adoption in the next two years.
3. By 2024, 30 percent of enterprises will adopt cloud-delivered Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Zero Trust Network Access (ZTNA) and Firewall As A Service (FWaaS) capabilities from the same vendor. While security leaders often manage dozens of tools, they plan to consolidate to fewer than 10. SaaS will become a preferred delivery method and consolidation will impact adoption time frames for hardware.
4. By 2025, 60 percent of organizations will use cybersecurity risk as a primary factor in conducting third-party transactions and business engagements. Organizations are increasingly including cybersecurity risk during business deals, particularly mergers and acquisitions and vendor contracts. The result is more requests for data about a partner’s cybersecurity program.
5. The percentage of nation states passing legislation to regulate ransomware payments, fines and negotiations will rise to 30 percent by the end of 2025 from less than 1 percent in 2021. Given the mostly unregulated cryptocurrency market, there are ethical, legal and moral implications to paying ransoms. The decision whether or not to pay ransoms should be addressed by cross-functional teams.
6. By 2025, 40 percent of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member. As cybersecurity becomes top of mind for boards, expect to see a board-level cybersecurity committee and stricter oversight and scrutiny. This increases the visibility of cybersecurity risk across the organization.
7. By 2025, 70 percent of CEOs will mandate a culture of organizational resilience to survive coincident threats from cyber crime, severe weather events, civil unrest and political instabilities. Companies will move beyond cybersecurity to organizational resilience to account for broader security environments. It will be important to define organizational resilience and objectives, and create an inventory of cyber risks that impact them.
8. By 2025, threat actors will have weaponized operational technology environments successfully enough to cause human casualties. As malware spreads from IT to OT, it shifts the conversation from business disruption to physical harm with liability likely ending with the CEO. Organizations will need to focus on asset-centric cyber-physical systems, and make sure there are teams in place to address proper management.