March 8, 2022

Last Updated on January 19, 2024

Predicting the future isn’t easy—but forecasting 2022 security impacts based on current developments makes a lot of sense and helps with planning. That’s just what John Verry, Pivot Point Security CISO and Managing Partner, shares on a recent episode of The Virtual CISO Podcast.

John’s eighth and final prediction of the podcast is based on the mounting pressures that cloud service providers (CSPs) face around vendor risk management and more extensive security and privacy due diligence from their clients. To address these client concerns/demands, as well as reduce their cyber and compliance risk, demonstrating a “provably secure and compliant” posture is a logical (and strategic) step for many CSPs.

Third-party security attestations are competitive differentiators

In John’s view, 2022 is the year that CSPs will see the writing on the wall and begin prioritizing and pursuing trusted, third-party security attestations like:

  • The ISO 27017:2015 cloud security standard
  • The Cloud Security Alliance’s CSA STAR certification for CSPs
  • “Authority to operate”—that is, sell a SaaS offering to government agencies—from the US government’s Federal Risk and Authorization Management Program (FedRAMP)
  • Achieving “StateRAMP Ready” validation to help sell a SaaS offering to US state and local government organizations


“I think CSPs are going to up their game in terms of recognizing this [business] risk, recognizing the [needed] level of due diligence, and they’re going to use the most significant third-party attestations and frameworks for managing cloud risk,” John offers. “Why? It’s really the only logical response to significant client due diligence requirements, with a preference for 3rd party attestation.”


“It’s a marketing differentiator,” continues John. “If you and your main competitor both have ISO 27001 or SOC 2 attestations, increasingly we see organizations recognizing that a client’s trust in the marketplace is critical to their success. So, we see people actually looking at security attestations not only as a way to mitigate risk, but also to differentiate themselves from a marketing perspective.”

Response to government demands

Achieving third-party security attestations is not only essential to address cyber risk and stay competitive—it’s also increasingly a government and/or regulatory requirement.

“A large percentage of the US economy is driven by governmental spending in the federal, state, local/education markets,” notes John. “Increasingly, we’re seeing a fast-growing need for things like FedRAMP, StateRAMP and NIST 800-171 compliance (with CMMC compliance on the horizon) if you want to do business with the government. We’re already seeing that as a key driver [for CSP security programs].”

Next Steps

You’ll find the podcast episode with all John’s 2022 predictions here.

Want to explore the current state of the art in CSP security? Don’t miss this thought leadership podcast episode on the topic: EP 73: Why Cloud is More Secure than Your Average On-Prem Solution

SOC 2 vs ISO 27001 (Or Both)

What every Software-as-a-service (SaaS) firm needs to know in order to acquire/maintain independent validation of their security posture.
View our guide today.