The demand for cybersecurity services continues unabated amid an increasingly complex threat environment.
Cyber and information security emerged as the top of planned IT investments for 2022, according to Gartner's annual CIO survey. The market researcher polled 2,387 CIOs globally and found 66% anticipated boosting security investments this year. Other data reinforce the primacy of protecting IT assets. Strengthening cybersecurity was the most-cited business initiative influencing technology spending in an Enterprise Strategy Group (ESG) poll of 706 senior IT professionals. Thirty-eight percent listed cybersecurity, which outranked other popular initiatives such as improving data analytics and customer experience.
As for the specifics of the cybersecurity outlook, 2022 trends will cover a range of technologies and services. IT services executives predicted developments in areas such as zero trust, user education and security operations centers (SOCs). Here's the rundown:
Zero trust, SASE adoption continues
COVID-19 sparked a work-from-home movement and dramatically expanded the attack surface businesses need to protect. The evaporation of traditional organization boundaries will make zero-trust security approaches and associated technology a key cybersecurity 2022 trend.
While the remote workforce eased business continuity, it also exposed threats and vulnerabilities spanning corporate and personal digital productivity devices, said Ganeshan Venkateshwaran, president at Trianz, a digital transformation consultancy in Santa Clara, Calif.
"The new normal will require IT leaders to reassess their approach with a zero- trust and zero-latency [strategy] on all dimensions of their IT assets," he said.
The goal is to provide a resilient IT and operational technology (OT) infrastructure for business users and customers, Venkateshwaran added.
James Christopher, executive vice president of operations and engineering at 1901 Group, an MSP in Reston, Va., and a wholly owned subsidiary of Leidos, also cited zero trust as a major theme for 2022.
"Zero trust will continue to be a significant focus for organizations looking to rethink traditional network security implementations, where devices within the corporate perimeter were trusted by default in the past," he said.
Secure access service edge (SASE) technology, which complements zero trust, will also gain ground in 2022. SASE attracted IT departments' attention in 2021, noted Eric Bostick, CTO at NWN Carousel, a cloud communications service provider based in Waltham, Mass.
That attention will translate into SASE infrastructure adoption this year, he predicted. "SASE allows for the merging of wide-area networking and security technologies through cloud services to connect users and apps, regardless of location," he said.
Cloud access security brokers (CASB), viewed as a subset of SASE, could also see rekindled interest. The reason? The wider use of SaaS has extended organizations' security responsibilities.
"Cloud access brokers have been around for a while, but there will be a big rise in this area as SaaS platforms are more prevalent in large enterprises [and] present significant security challenges," said Sean McDermott, president and CEO at Windward Consulting Group, an IT solutions provider in Herndon, Va. McDermott is also president and CEO of RedMonocle, a cyber-risk quantification software company.
Customers start addressing quantum security
In addition, 2022 could be that year that more organizations begin preparing for the security implications of quantum computing. Cyber experts suggest threat actors will eventually harness quantum technology to break public-key cryptography algorithms. A report from consulting firm Deloitte, "Preparing the trusted internet for the age of quantum computing," said cryptographic governance approaches should be revamped to respond more rapidly to evolving security threats. Customer demand in this nascent field will emerge this year.
"We do expect some organizations to begin down the path of crypto governance in 2022," said Colin Soutar, Deloitte risk and financial advisory managing director in the company's Cyber and Strategic Risk group.
The current threat environment belies the notion that cryptography never needs updating once its deployed in hardware or software. "The quantum threat illustrates that changes will likely be needed -- and that having a framework to support such changes is generally good cyber hygiene," Soutar, one of the report's co-authors, said.
Cryptographic governance starts with an awareness of where risky cryptographic algorithms exist and how long they are expected to persist, he noted. With that understanding, customers can move on to updating mechanisms. Industries in which algorithms are expected to endure over a long timespan will be among the first to revise cryptographic governance, he said.
Will algorithms need to persist in a medical device or vehicle for 10 years? Those dynamics, Soutar said, will likely catalyze action in industries such as automotive and healthcare. Other considerations, such as the need to protect intellectual property or financial transactions, will also influence which industries move on cryptographic governance.
Local governments, supply chains remain security trouble spots
Service providers expect cyber attackers to return to their usual victims in 2022. Local governments last year experienced numerous ransomware attacks. That trend looks set to continue.
Matthew Hodson, CIO at Valeo Networks, an MSSP headquartered in Rockledge, Fla., said municipal governments and other public sector entities have become "super easy targets."
"They are running on really old infrastructures and they don't have the budgets to do best-practice security like a commercial company does," he said.
Similarly, supply chain attacks such as the SolarWinds Orion and Kaseya hacks should persist in 2022. Sharon Chand, Deloitte cyber risk secure supply chain leader, said cyber attackers are "busy leveraging hyperconnected digital supply networks to invent new attack vectors." The task ahead, she said, is to move beyond monitoring security risk and start mitigating against it.
Need for customer education grows amid changing attacks
The evolving scope and complexity of attack vectors calls requires more vigilance among organizations. Service providers expect to see redoubled education efforts at all levels of a business.
"Organizations are doubling down on cyber policy, education and training to reduce the risk associated with cyber attacks to include ransomware," 1901 Group's Christopher said. Ransomware incidents hit an all-time high in 2021, he added.
Mary Galligan, U.S. cyber and strategic risk crisis management leader and board educator at Deloitte, said security training will become smarter and more frequently delivered in 2022. Tailoring initiatives to specific audiences will be a top priority for many organizations this year. The scope ranges from educating boards of directors on new threat types to training new employees to help mitigate the security risks of a high-turnover workforce, she said.
SOC becomes a standard MSP offering
Fast-paced attacks such as ransomware have heightened the need for rapid detection and response, Valeo's Hodson said. This velocity makes it important for service providers to offer SOC capabilities. Many MSPs focus on helping customers identify threats and offering protective measures, he noted. A SOC, however, bolsters their ability to quickly snuff out incursions before they do damage.
As a result, more MSPs will include a SOC as a standard part of their offerings versus an optional service, Hodson contended.
"More [service provider] companies, as they evolve and mature, are going to start making that more of a requirement," Hodson said. "It's protection for the customer and MSP. You're stopping that attack [and] keeping clients' and MSPs' reputations out of the news."
Enterprise Strategy Group (ESG) is a division of TechTarget.