In this article

Many of our Global Accounts have heard us say that we have never seen the industry as volatile and disruptive as it is today, with the proliferation of ransomware attacks, nation state attacks, ever-changing regulations and then throw a global pandemic on top of it, we are certainly in very interesting times when it comes to cyber. Many of the organizations we deal with have completed three- and four-years' worth of security transformation plans in 18 months. 

Today, our customers face more challenges than ever before. In the face of disruption, non-IT stakeholders are demanding outcome-based decisions, balancing the need to protect against the need to run the business and in response, security experts must understand how to prioritize investments in reasonable, consistent and effective controls to protect the business. 

As our World Wide Technology Global Accounts Cyber Team looks ahead in 2022, we identified a few areas which our customers should double down on. 

1. Prune and optimize observability pipeline for security

Accelerating secure business enablement while balancing out the risk profile is a modern-day challenge for security teams and businesses as whole. This has given rise to many concepts such as the adoption of a Zero-Trust architecture, Segmentation, SASE (Secure Access Service Edge), Full Stack Observability and AIOps to name a few. Furthermore, business agility and cost benefits associated with cloud migration and remote working are demands not only of business leaders but also employees of a modern working culture.

All of this can be daunting when a business must decide where to start, especially given the plethora of systems and data sources that typically exist. However, one constant appears irrefutable: you cannot protect what you cannot see. For this reason, I believe we will see a trend in 2022 where businesses seek to address observability and data validation as an enabler to the concepts outlined above. To do this, it is imperative for organizations to ensure: 

  • A level of accuracy is developed around the central data sources it retains
  • The relationships between all components of infrastructure as well as the associated application workloads are understood
  • Context exists to enable informed decisions to be made around protection controls, service management and transformation programs
  • Changes to the environment are observed and understood on a continuous basis

Recognizing patterns and understanding relationships within the data requires a multi-dimensional perspective. Success comes by embracing the fact that data does not exist just in one dimension or even two, but rather that data exists in three dimensions, and its travel path is omni-directional.

Here at WWT we specialize in making a new world happen – creating the foundations for business change by leveraging proprietary tooling, specialist teams and third-party relationships to blend a unique capability that enables our customers to:

  • Ingest all relevant data sources to ensure a multi-dimensional view of the existing environment
  • Identify commonality between datasets and combine disparate systems into a homogenous singular source of truth
  • Work together to determine if the relationships are correct and necessary
  • Drive an agile policy creation methodology
  • Implement continuous discovery and identify divergence from the baseline with immediate feedback for investigation, acceptance or rejection
  • Gain context around the range of data sources to turn information into intelligence

2. Application security takes center stage... again  

2022 will be a year focused on digital transformation and acceleration to the cloud for financial services organizations. As the economic recovery continues into 2022, banks will increase innovation efforts. Increased competition from open finance and fintech startup companies will lead the banks to smash the pedal down on digital transformation of applications to improve customer experiences. To support the diversity of the modern application needs while maintaining balance with data security requirements, distributed, multicloud implementations will become commonplace in 2022.  

User experiences will drive application code closer to the customer edge. Increasing focus will be on distributed cloud services. With this movement closer to the edge comes new challenges for security professionals to maintain consistent observability and policy enforcement regardless of where the application is deployed.  

A fully connected mesh of distributed cloud services will become the modern dial-tone for applications. Several OEMs are offering distributed, multicloud networking services, but application security requirements will drive organizations to build a robust services edge with security visibility and enforcement applied across Layers 3-7. Edge security no longer means just network security. Multicloud requirements mean proprietary, cloud-native security tools are not operationally effective or cost-effective to maintain.  

Along with more apps, distributed across the globe, comes more microservice APIs exposed than ever before. Security teams will need to maintain tools to continuously discover new APIs. While Web Application Firewalls (WAFs) have become commonplace for web services, API exposure will become the greatest risk to modern applications. Along with a distributed application services edge, organizations will require a distributed secure API gateway service to maintain API security controls, stop attacks and mitigate vulnerability.

The number of applications will continue to explode in 2022. Will your application security strategy be ready to adapt and defend against the latest threats?

3. Rethinking evaluations 

Ideas are exciting. But what good are they unless we spin them into measurable outcomes? Our success, as leaders, teams, IT organizations, and ultimately the business at large, is measured by the goals we achieve and how efficiently and consistently we achieve them. 

Determining your product procurement goals, or outcomes, is far more complicated than it used to be. A sign of simpler times, I was very narrow-minded about outcomes during my early years in technology. My goals were as simple as installing new tools, rolling out advanced features or consolidating a firewall; they were task-oriented and easily achievable. Goal set, outcome achieved, no problem. But that was back then. 

We are now in a time of rapid transformation, where cyber attackers and solution developers are in a cutthroat race to outdo each other. We are dealing with an extremely volatile threat landscape, with malicious email threats up 600 percent and ransomware attacks occurring nearly every 11 seconds, causing damages that could cost tens of millions per hit. All of this, while organizations are struggling with skilled labor shortages, challenging regulatory changes and limiting budgets.

Our old habit of going too deep, too fast by focusing primarily on technical capabilities of a product or solution just won't cut it anymore. We need to look at the needs of the organization as a whole, considering tangible business outcomes, rather than break/fix resolutions, particularly when it comes to product comparisons and solution validation.

Evaluating emerging technologies such as SASE, XDR and the countless solutions for the multicloud construct will push savvy organizations to their breaking point. Even with a mature solution evaluation methodology, organizations will struggle to balance their own due diligence requirements with the nonstop sense of urgency brought on by newly discovered vulnerabilities and attack vectors (i.e. Log4js). Organizations unaware of the complexities beyond a simple pass/no-pass efficacy test will throw themselves headlong into new technology—a proverbial crapshoot, which will most likely result in vendor lock-in and reduced optionality.

The sage technology leaders will pursue avenues of partnership with trusted advisors, such as WWT, who can augment a solution evaluation—even as early as in the RFP process and extending beyond product selection and into implementation and operationalization. This will reduce the risk inherent with security transformation at a breakneck speed.

4. XDR has arrived 

The growing trend in the cybersecurity industry is changing every day. Threat actors are using sophisticated security threats to evade detections across multiple security tools and environments. In the past five years the solution to behavioral threats and attacks was to use an Endpoint Detection & Response (EDR) solution. The paradigm is shifting once more as EDR/NDR/SIEM/SOAR are all slices in one pie of the bigger picture which is XDR. We are seeing more EDR solutions transitioning their EDR solution into an XDR offering. Security vendors are either partnering or acquiring different companies to create that XDR solution, such as the recent acquisition of Humio from Crowdstrike, or the recent creation of the XDR Alliance by Exabeam.

The greatest challenges we see in the industry (specifically within Security Operations) are alert fatigue, gaps in visibility between security tools, and slow detection and response times. Vendors are responding to this with XDR, a combination of EDR, NDR, SIEM and SOAR. XDR helps the SOC collect and triage data across multiple security layers at the same time, a task that has historically required switching between multiple "panes of glass" and using human decision-making to build an enterprise-wide perspective of events. XDR solutions also provide automated analysis and remediation, whether natively or through API-connections with third-party solutions.  

In 2021 the headlines across the media, industry, government agencies and organizations have been ransomware and breaches. According to the Verizon Data Breach investigations report "Ransomware is part of 10% of all breaches. It doubled in frequency in 2021" and "Approximately 37% of global organizations said they were the victim of some form of ransomware attack in 2021" according to IDC's 2021 Ransomware Study. There are currently two security architectural approaches to combat ransomware (Zero Trust & XDR), and why you should use utilize both in your environment. The premise of Zero Trust is to lock down one's environment, minimizing the attack surface. It is a framework requiring all users (on-premises, off-premises) to be authenticated, authorized, and continuously validated for security configuration before granting access. XDR brings together all the information and events about possible attack elements, which goes beyond your traditional SIEM infrastructure by aggregating log data for correlation, machine learning and analysis. Combining these two solutions, along with MFA and Network Segmentation will result in a smooth, more predictable, less stressful day-to-day work experience for your SOC.

A recent survey by DarkReading states that only 24 percent of respondents were very familiar with "XDR." Here are some items that organizations must consider before going "all in" with XDR. 

  • How does your SIEM Align with XDR?
  • Data Management – XDR will need to be able to collect, process, analyze and automate terabytes of real time data into an organizations SOC process.
  • Deployment of XDR – Similar process from other security solutions, will require buy-in from relevant stakeholders.
  • Integration with existing security solutions

While EDR's value in the industry has been helpful for security teams, it's just not enough. The value that XDR will provide for an organization's security operations will be exponential for years to come. Here are some items that will help an organizations overall security posture.

  • Improving visibility across the entire security ecosystem and Reducing Mean Time to Detect, Investigate, and Respond (MTTD, MTTI, MTTR).
  • True Unified single pane of glass across multiple security tools and attack vectors by leveraging data from endpoints, email, servers, cloud workloads, networks, SIEM and SOAR.
  • Increasing SOC productivity by avoiding alert fatigue.
  • Integrate multiple security solutions and tools to realize true ROI.

5. SASE snapshot  

As more and more global banks aim to take SASE architecture from theory to production, 2022 promises to be a year of continuous transformation. With the adoption of SASE, we'll see deeper organizational unification and collaboration between the security, end user and network teams as well as parallel efforts to drive further along the maturation curve to achieve zero trust architectures.

The top players in the SASE space such as Zscaler, Netskope, Palo Alto Networks, Cisco and iBoss have been battling head-to-head in a race to improve capabilities and mature their platforms so that features such as remote browser isolation as well as advanced CASB functionalities are now table stakes. They'll continue to match each other in performance to ensure the highest level of end user experience, adding more robust points of presence globally with broader adoption of the technology daily. 

The vendor landscape supporting SASE architectures will continue to grow at a rapid pace as technology companies invest in development and make acquisitions in this area – this will drive a greater need for early discovery around use cases and testing criteria to ensure timely technology evaluations to avoid getting stuck in the marketing bog in this crowded space. 2022 may prove to be the biggest year for SASE yet as the promises of this new architecture have become a reality and the shift is in full swing.

Organizations seldom settle on just one cloud vendor, in fact 93 percent of organizations end up with a multicloud environment (source: Flexera's State of the Cloud Report for 2020). We expect this trend to continue. We also expect that the tilt from AWS to MS Azure to continue with organizations preferring the Microsoft platform over AWS for new deployments.

This means that utilizing the Cloud Service Providers' (CSP) native toolsets for configuration compliance will just be point solutions for their particular CSP ecosystem and that organizations will need to focus on independent toolsets that are CSP independent. 

"Security Vendors" will continue to acquire new (Zscaler and Trustdome) or develop existing CWPP/CSPM functionality, potentially merging this with microsegmentation toolsets. This sort of functionality will become key to their relevance to a cloud world. Additionally, to this consolidation of OEMs, we predict maturation of the product set core functions of these tools. Cloud Workload Protection Platforms (CWPP) and Cloud Security Posture Management (CSPM) are the main third-party cloud configuration security toolsets, they are subtly different. WWT predicts that the functionality of these two types of tools will merge to create a new hybrid category of cloud security products.

Orchestration and automation of the deployment of services/virtualized components into multicloud environment will become critical to agility in this new world. We expect the larger OEMs to acquire these multi-cloud management start-up toolsets (for example F5 have acquired Volterra). These tools make the deployment of virtualized components into the various CSP platforms easier by abstracting this "CSP environment layer" away from the user – the user just needs to decide what they wish to deploy to where without a need to worry about the detail of the CSP environment.

Finally, users need to understand that whilst cloud is different to their traditional IT environments, it is really only hosting applications in another organizations data center. With that in mind organizations should not lose sight of the basics: vulnerability management/patching, identity management (including multi-factor authentication and privileged account management), and traditional boundary security.

7. Data protection takeoff 

Cyber attacks aimed at the supply chain more so than the primary company will increase: As the reliance on technology continues to grow, and the flexibility of cloud services gain greater acceptance, companies will continue to rely more heavily on Third Party providers to address their security, technology and business needs. Therefore, threat actors will seek to exploit the vulnerabilities in Third Party services and APIs as opposed to targeting the primary company directly. At one time attacker only had one vector (the target's network) as an exploitable opportunity. However, with more vendors being added to the supply chain, there are more downstream attack surfaces that threat actors will seek to exploit.

Encryption and Data Obfuscation will increase (i.e., Tokenization, etc.). Over the last 15 years or so, companies have gotten comfortable with and accustomed to protecting/encrypting the obvious critical data that threat actors commonly exploit; namely, credit card and social security card information that have popularly become known as "PCI" and "PII" information. However, as company's discover greater opportunities in collecting client data for marketing and business purposes, new data groups pop up resulting in the defining lines of PII, PCI, PHI, and BII, blurring and becoming quite subjective depending on the business need. Virtually every piece of data that is collected – including metadata – will be able to reveal some secrets about the business, customers, or systems if properly correlated. Therefore, it's going to become necessary for companies to protect/encrypt most data if not ALL of it as opposed the common data forms that have been tagged as "critical."  All data will be critical.

An increase in focus on protecting and securing Privacy data (i.e. pseudonymization, anonymization) We are online now more than ever before. In fact, in the growing world of the IoT market and the implementation of 5G, even our refrigerators, virtual assistants, and smart watches are revealing personal things about us of which the degree of exposure is just becoming realized. Therefore, as it pertains to the collection and aggregation of identifiable data, customers and companies are quickly coming to the realization that their greatest asset is not their goods and/or services, but rather, it is their reputation along with the ability to keep certain information private and protected. As a result, the need to protect this data as well as to provide customers with greater control of their PII/BII data will become an even greater focus. Whether it be regarding the latest marketing strategy, a new encryption algorithm or a public relations issue – each of which the revelation could adversely impact the person and/or the business – the need for greater protection will increase first by policy and law, and as a result, by technology, processes, and practices. Some of the technical protections of this PII/BII data will include as well as require pseudonymization and anonymization.

Greater focus on Cyber Resilience and Security due to an increase in Ransomware and Malware attacks as mentioned previously, our reliance on technology will continue to grow, particularly as it relates to remote work, which has seen an exponential growth and shift due to the pandemic. As a result, more attack vectors have become available. As that ransomware and malware attacks have seen some degree of success over the past few years, MaaS (Malware-as-a-Service) and RaaS (Ransomware-as-a-Service) services have also increased, making the power and ability to leverage a successful attack available to even the most novice of IT users (i.e. script kiddies). In short, sophisticated attacks will be able to be executed by many unsophisticated threat actors. Therefore, not only will more companies find the need to define and implement a robust ransomware policy and process, but they will also need to engage in extensive system hardening, continuous score-carding, air-gapped or offline backup storage, immutable data replication, scanning, detection, and response processes in order to insure the resiliency of the environment.

The need to "Know-Your-Stuff" effort will increase In the banking world this is commonly known as KYC (i.e. Know Your Customer/Know Your Client). However, expanding beyond that, by "Know-Your-Stuff" I'm referring to the need to know and understand the stuff that is in your environment as well as the stuff that accesses it (i.e. assets, applications, people, etc.). Identity Access Management (IAM), Privileged Access Management (PAM), and Customer/Client Identity Access Management (CIAM), as well as Asset Discovery, will receive a greater focus in 2022 amidst the increase of ransomware and malware attacks as that not only do both attack processes seek to exploit and escalate access privileges, but they also seek assets that are vulnerable and/or unknown within an environment. Resultantly, companies will seek to understand what and who is running in their environment, and whether or not they need to be there. Such an effort is fundamental in implementing a ZTNA framework as well as achieving cyber resiliency.

8. Extracting the value of investments 

As we get into the "post COVID environment," the global cybersecurity market size is projected to grow almost $130 billion (USD), according to various surveys. This represents a Compound Annual Growth Rate (CAGR) of almost 10 percent from 2021 to 2026. The market's growth can be attributed to the increasing awareness and rising investments in cybersecurity infrastructure tools across global organizations operating across verticals.

But with that said many of our customers have a sprawling security tools portfolio, some with 210+ tools that likely consist of duplicative capabilities, underutilized modules, and de-coupled functionality. Overall, this security tool "bloat" drives increased cost and complexity across the organization, slowing monitoring deployment timelines. In addition, many companies have security tools that are not being utilized for a full return on investment (ROI). Not only are many of these tools expensive, but they also provide similar capabilities causing customers to waste valuable resources in license fees and maintenance costs. Other problems include poor integration with other technologies, steep learning curves for operations personnel and conflicting or incorrect reporting from a visibility, control and security perspective

We are seeing more organizations that are considering a portfolio review and capability mapping with the objective to gather a high-level understanding of the entire security tool estate (and how it came to be) to prioritize areas for deeper investigation. Then go through an identification of rationalization opportunity areas with the objective to identify high-level rationalization opportunities based on a logic/data-driven framework enabled by data and hypothesis collected in that step. More mature practices are then conducting a rationalization "deep dives" the objective of this step is to generate specific recommendations within each rationalization opportunity area, with implications (e.g., cost savings, organizational/ operational impact). Lastly all organizations should develop Roadmap, ROI, and recommendations with the objective to develop an executive-level ROI perspective for the overall initiative and provide learnings on how/why the tool sprawl occurred, as well as recommendations on intake processes & governance.

With the massive shortage in skilled resources in the industry organizations can't afford to consistently add new shiny objects they just need to simply focus on the basics and be great at 

At WWT we are hyper-focused on providing secure business outcomes for our global clients. We take on the most challenging problems our customers face and provide innovative solutions that can involve Data Governance Strategy, Security Platform and Tool Operationalization, AI/ML Model Security and Enterprise Security Architecture strategy. Our goal is to bring together business acumen with full-stack technical know-how to develop innovative solutions for our clients' most complex cyber challenges.

Explore how WWT can help with your security transformation
Learn more