It’s no secret that 2021 was undoubtedly a difficult and stressful year to be a cybersecurity professional. The pandemic-driven remote/hybrid work paradigm and increased prevalence of ransomware caused many to fundamentally reevaluate their security strategies. This year will be no different, and we’ll likely see an even greater increase in threats as these malicious actors find new attack vectors to infiltrate—so it’s important for organizations to be well-equipped to address them.
To mitigate these risks, companies must look to build a more standardized approach to measuring security effectiveness. Unfortunately, the lack of one remains the primary obstacle for organizations that want to implement effective security programs—and additional adjustments will be required for success in the new year. Moreover, the industry will see an increase in zero trust adoption at more rapid rates than in year’s past. While a little less than half of security leaders are currently prioritizing zero trust principles as part of their security strategy, we’ll see that number cross the halfway threshold by the end of 2022.
Below, I’ll dive a bit into each of these expectations and some tips organizations can take to make these initiatives more effective.
Establishing an effective, standardized metrics benchmark
After an unprecedented year of destructive cyberattacks, it’s clear that this year will be a defining moment in how organizations reset the fundamentals of their security programs. This must begin with standardizing security metrics that are actionable. The absence of a framework that is relatable to an organization’s business and a customizable approach are primary reasons organizations haven’t implemented effective security programs. What’s more, only a third of cyber leaders believe their teams are tracking the right metrics. Without benchmarks, many cyber leaders are facing issues relating progress to their business executives which ultimately lead to a communications gap and less investments into an organization’s security posture.
Some areas to consider developing actionable metrics around that every organization needs to prioritize this year include:
- Level of preparedness: How well is a company prepared for an attack? The best way to measure this will vary across organizations, but the most effective method to track levels of preparedness ensures that the right security controls are in place and working. This requires security teams to run breach and attack simulation exercises that can point out failures or gaps that should be addressed.
- Tool efficacy: Organizations have invested millions of dollars over the years in various security tools and technologies. But many are dormant, underutilized or suboptimized. It is important the security and operations teams have a way to ensure these investments are working and optimized to deliver the protection as part of a cohesive program.
- Operational gaps in coverage: security teams should leverage leading frameworks such as Cyber Kill Chain and MITRE ATT&CK to measure coverage and identify gaps. By understanding the nature and level of detection you have against each technique, security teams can understand their vulnerabilities and prioritize their investments.
- Coverage against risk scenarios: The primary purpose of cybersecurity programs is to protect an organization against cyber risk. Organizations should prioritize what risks are of most concern to them, the types of threats and attack vectors that could manifest them and understand what protection measures they have against them.
- Meantime to detect, resolve and contain attacks: Tracking the time it takes to detect, resolve, and contain malicious attacks can help organizations prioritize which step in the security process needs attention and optimization the most.
Using these metrics as a benchmark will significantly improve a company’s security posture, but it’s important to consistently revisit these metrics to adjust to the ever-changing cybersecurity landscape. Once these metrics are aligned, organizations can start thinking about security more strategically, including adopting new mindsets like zero trust.
Changing the narrative around zero trust
Zero trust has been one of the biggest buzzwords of 2021. However, confusion still remains amongst the industry regarding its impact and how to take advantage of this security model. With less than half of security leaders saying they are prioritizing implementing zero-trust principles as part of their security strategy it is clear it is getting serious consideration. This year we will see conversations around and adoption of zero trust speed up—as long as organizations look at it through the proper lens.
For successful implementation, zero trust can’t be thought of as a single-packaged solution; it’s essentially rethinking enterprise security and cutting across silos. It’s an evolution of the security paradigm that requires continuous monitoring. With that said, the industry as a whole must do its part over the course of the upcoming year to educate organizations on the ins and outs of zero trust, especially with destructive attacks promised to increase in 2022.
The continuous shift toward remote work also means more companies should be adopting this framework, as organizational data and assets are not confined within the enterprise firewalls. Your security infrastructure is only as strong as your weakest link, and consumer-grade home networks are much easier to infiltrate. Of course, companies can insist employees use VPNs, but those are still easily hacked and the shift to remote work has exposed their weaknesses.
As 2022 progresses, companies will continue to take a step back and look at their security programs more holistically. Changing fundamental practices like adjusting which metrics to track or adopting entirely new mindsets will allow these companies to usher in new strategies or tactics they haven’t leveraged in the past. Although we’ll likely see an increase in cyber-attacks next year, I’m hopeful that more organizations will pave the path to be better prepared to address these threats.