March 2, 2022

Last Updated on January 19, 2024

On a recent episode of The Virtual CISO Podcast, host John Verry channels his Nostradamus alter ego to predict the most important cybersecurity shifts and trends coming our way in 2022.

“I don’t think it’s that crazy to play Nostradamus if you base your predictions on where we are today,” John contends. Cloud acceleration, staffing shortages, cybercrime, and escalating privacy regulations blend to make 2022 a notable challenge.

 

4 Notable Changes and Ongoing Challenges

To start the podcast, John articulates four “ongoing and notable” challenges our industry is currently facing that will only increase in magnitude in 2022:

  1. The relentless transition to cloud services, which COVID and work-from-home have further accelerated. John further notes the rising demand for what he calls “cloud-centric security solutions” to help secure our data, networks, workloads and applications hosted in the cloud.
  2. The cyber staffing shortage, which didn’t get any better last year and might well get worse in 2022.
  3. Cybercrime on the whole, which certainly isn’t diminishing. John notes that ransomware remain a serious problem, while devastating “nation state level” attacks like SolarWinds are increasingly of concern.
  4. Besides information security, businesses will increasingly need to focus on escalating privacy regulations. “We haven’t yet seen their impact because I don’t think we’ve seen much enforcement of them to this point,” John notes. “If that does occur, I think we’ll see some significant evolution of our response.”

2 Logical Responses from Key Stakeholders

With those challenges as a backdrop, John logically expects 2 main responses from key stakeholders in 2022:

  1. Government entities will hand down more security and privacy regulations, starting with changes already in motion. These include the presidential executive order 14028, on “Improving the Nation’s Cybersecurity” from May 2021, the evolving CMMC 2.0 requirements for defense contractors (initially) and US state-level privacy regulations like those from California, Virginia and Colorado. Twenty-three states introduced privacy legislation in 2021, so the need to address privacy requirements can only escalate.
  2. As more and more of our workloads and data land in the hands of cloud service providers (CSPs) and other third parties, the corresponding demands of regulators, clients and our own risk management programs will drive increased attention on vendor due diligence and overall supply chain risk management. This pressure will come from both external and internal stakeholders.

1 Logical Response from Organizations that Process Client Data

If you’re a CSP, law firm, or other org that processes third-party data, you’re going to need to muster greater security/privacy due diligence both internally and externally in 2022.

Obviously, regulations and market requirements are running that way. For example, if you’re a supplier in a US government supply chain like the defense industrial base (DIB) or a critical infrastructure market sector like healthcare or IT, you’ll increasingly be subject to “flowdown” requirements to comply with regulations like NIST 800-171 and CMMC 2.0 that are—or soon will be—impacting your clients and partners.

John further observes that Cyber Liability Insurance (CLI) providers will be amping up their level of due diligence, not to mention their premiums, after taking a financial drubbing these past few years thanks to the rampant manifestation of cybercrime risk.

Similarly, there’s a growing cross-sector expectation that service consumers will exercise greater due diligence to ensure that vendors are “doing the right thing” with their data. Firms that process others’ data will need to be fully prepared for that in 2022. John cites a Gartner report predicting that in 2022, “60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.” This implies major impacts on new and renewing contracts, such as demands that vendors assume the risk of third-party attacks, such as covering remediation costs. Firms assuming such risks need to be prepared to mitigate them.

 

Next Steps

“All that is going to drive significant changes in the way you address security and compliance within your organizations,” summarizes John. The next question is, what is the best way to identify and make the right changes for your organization?

To get all John’s predictions for 2022, click here.

Hearing rumblings that you might soon be required to comply with the NIST 800-171 cybersecurity standard because you handle Controlled Unclassified Information (CUI)? This blog post explains the situation: All Federal Contractors are Already Subject to NIST 800-171 Requirements—Not Just the DIB