Cybersecurity in 2022: It’s Not Getting Easier
As we wrap up the year, it always makes sense to take a look back and see what worked and what didn’t; what we can do better and what we have to accept. When 2021 ended, it was pretty bad. We were still trying to navigate COVID-19 and plan for a return to in-person work. But the markets were decent, the investment dollars kept flowing and while effective cybersecurity was hard, there was some optimism that it would get better.
Well, it didn’t. In hindsight, it should have been obvious that a recession was coming. Companies of all shapes and sizes tightened their belts, expecting security to do more with less. Yeah, you’ve heard that story before. Of course, you probably couldn’t have projected Russia’s attack on Ukraine nor planned for the cybergyrations necessary to determine if you were within the blast radius of the attack(s).
Data and workloads continued to move to the cloud unabated, putting pressure on data governance policies and visibility efforts to track the data. Many organizations now expect to run their environments (both development and infrastructure) using CI/CD pipelines, and they haven’t been proactive in understanding how to protect them.
So, yeah, things got harder for security professionals in 2022. But it wasn’t all bad. Security analytics continued to advance, improving detection. Organizations started making progress on deploying zero-trust architectures for both their perimeters and identity environments. Security budgets weren’t impacted until late in the year, as security tends to be one of the last expenditures to be impacted in a slowdown. Ultimately a couple of realities set in this year and for 2023 to improve, we’re going to have to address them.
- No juice: I was involved in a number of cloud and container security projects with enterprises this year. In each one, the security team had difficulty getting the dev teams and business influencers to care. To be clear, they said they cared, but their actions spoke louder. They don’t care about security until something bad happens. Then, they are happy to throw security under the bus. The mandate for change will need to come from the executive suite. That’s the only way to align the incentives toward protecting data.
- Identities run amok: As workloads and data move to the cloud, implementing an effective, enterprise-wide identity and access management (IAM) strategy is the critical arbiter of success. It’s also hard to retrofit an effective tenancy and IAM structure once workloads are deployed, so there isn’t a lot of time to waste to get your arms around IAM.
- AppSec still lags: As exciting as it is to think about having developers build secure code, they are neither trained nor incentivized to do so. Thus, they don’t. Yes, you can (and must) build security tests into the pipelines. You should push (hard!) to break builds that have critical security errors. But developers have been (and will continue to) push back on being responsible for application security, so we’ll need to find a middle ground.
- Skills upgrade: Sadly, with many companies reducing headcount, thousands of qualified security folks are looking for work. Yes, many of them get snapped up quickly, but not all. Now would be a great time to invest in your security skills, but too many organizations responded to the slowdown by freezing hiring and don’t use downturns as an opportunity to upgrade their personnel. The savviest managers buy when everyone else is selling; many organizations were selling in 2022 (and will continue to do so in 2023). If you can, add hard-to-find skills (like cloud security and AppSec) now.
- Regulatory uncertainty: Between the ongoing privacy litigation in Europe and the new software bill of materials (SBOM) mandate in the U.S., it remains hard to know what “compliance” really means and what it will take to pass assessments. Of course, an effective security program should address most compliance requirements, but there will continue to be uncertainty, so expect some unplanned work as we get clarity on the expectations.
I could go on, but that’s a pretty good overview. I alluded a bit to what’s coming in 2023, but we’ll dig into that in greater depth during our Predict 2023 virtual conference on January 12, 2023. You can register here. Have a happy and safe holiday season, and we’ll see you at Predict in a few weeks.
Cybersecurity Labor Shortage Grows Worse in U.S. And Worldwide: Report
Global Cyber Security Labor Shortage and International Business Risk
Infosec books | InfoSec tools | InfoSec services