What’s Top of Mind for CISOs in 2022?

Written by

We’re living in a digital age; that’s nothing new. The dependence on technology for even basic tasks is multiplying, and new companies arrive on the market daily with promises to make our lives easier with applications and digital solutions.

Owing in part to the pandemic, organizations are now more dependent on technology than ever. While restrictions have lifted, the world has arrived at a ‘new normal,’ businesses around the world announced that they are adopting remote or hybrid working models. This, coupled with the increasing reliance on various applications and services for business operations, leads, in turn, to increasing vulnerability.

As employees settle into more flexible work arrangements, security professionals are tasked with finding new and reliable ways to approach data and network safety. In this new landscape, what is top of mind for CISOs in 2022? There are a few key areas that stand out.

Ransomware/Malware

The agility of cyber-criminals is unrivaled, as evidenced by the rise in ransomware attacks. A recent Forbes article lists some staggering figures:

  • Ransomware accounts for 10% of all security breaches
  • A survey found that 37% of global organizations were the victim of some sort of ransomware attack in 2021
  • According to the FBI, ransomware attacks were up an alarming 62% year over year from January through July 2021

In 2021, the average ransom payment was $812,000, up nearly $650,000 from the previous year. Nearly half of the companies victimized by these attacks paid the demanded ransom, making ransomware an industry in itself.

As ransomware often preys upon the naivety or unfortunate missteps of end users, networks and data are vulnerable throughout the organization. CISOs focus on preventative measures through penetration testing (by mimicking an attack) and ensuring end users receive ample information to make informed decisions. Ensuring that software and patches are up to date is paramount to IT budgets and strategies.

Cloud and Network Security

While moving away from local installations and physical media has saved IT departments a lot of time and effort, it has kept security professionals on their toes. Cloud environments can create critical security visibility gaps, adding complexity to prevention tactics and managing networks and applications.

In late 2021, the Log4Shell attack was a wake-up call, thrusting cloud security to the top of CISO priority lists everywhere. The attack exploited the Log4j logging framework used by Java applications, allowing attackers to load and execute malicious code. Hackers could gain control of vulnerable devices through Java, which in turn allowed them to establish backdoors, create botnets and initiate ransomware attacks.

This global attack called attention to cloud security, with 87% of survey respondents saying they feel less confident in their strategies. Companies offering protection for multi-cloud platforms have responded to this threat by accelerating the development of their tools.

API Security

APIs are fundamental in the modern era as nearly all functionality relies on an application of some sort. As the number of applications organizations use grows, so does the use of APIs for integration or the enablement of processes.

Unfortunately, as helpful as APIs are for the organizations that use them, they also attract the attention of cunning attackers seeking to exploit security holes.

In 2021, API attacks rose an incredible 681%, while API traffic saw a 321% increase. APIs are particularly vulnerable to attacks as they present unique challenges to robust security. The API landscape is in constant motion, making it challenging for security professionals to keep pace. This leaves organizations vulnerable to data breaches, SQL injection, denial of service attacks, malware and falsified user authentication.

Workforce Development, Recruitment and Readiness

An all-too-common complaint across industries in 2022 is the lack of skilled and available workers to fill crucial roles. Cybersecurity career site CyberSeek reports more than 700,000 unfilled roles across the US at the time of writing, a number that has remained steady for months.

CISOs recognize the need for (and value of) top-class security professionals in their organization, but are having trouble filling appropriate roles. Training and upskilling existing IT professionals can help, but it’s a stop-gap measure if those employees are adding to their workload rather than being devoted to cybersecurity goals.

With workers moving to remote and hybrid models, CISOs also need to educate end users to strengthen security proactively. By educating users on the cunning tactics used by cyber-criminals, organizations stand more of a chance of protecting their data and end users from malicious activity.

Conclusion

The security landscape is rapidly changing, with ransomware attacks, API security and network exploitations on the rise. CISOs are focusing their budgets and strategies on proactive and preventative security measures, while upskilling staff and going to market to find talented professionals for their teams. For many organizations, there is no question about the need for increased security budgets and headcounts to protect valuable data.

What’s hot on Infosecurity Magazine?