The last 24 months have been unpredictable to say the least. But even in an era of unpredictability patterns serve as future predictors. Full disclosure: I don't have a crystal ball (though I sometimes wish I did). We've worked with lots of business leaders and IT teams this year who echo the following future predictors, which I'll hedge as larger trends to watch (and prepare for) in 2022.
Prediction #1: Expect governance to take center stage in IT security strategy.
Governance isn't new, but for years midsize businesses deferred governance measures assuming they only impacted large enterprise. While it's true that historically, large enterprises were the ones who made headlines for data breaches and non-compliance, that'll be less true moving forward. Attacks targeting small and midsized enterprise are steadily rising and as such, regulators are focusing what measures smaller enterprises are or aren't taking to protect sensitive data. Data security and data privacy compliance isn't an optional practice - it's a mandatory requirement and companies failing to comply will be fined.
Governance will continue to link across data management and IT security practices, but expect it will show up at the board level too, as it falls within the realm of fiduciary responsibility. Boards have no choice but to take it seriously from a liability perspective and will cascade formal governance requirements through the organization as a result.
Prediction #2: As-a-service, at your service.
We've gradually seen midsized enterprises and SMBs adopt enterprise tools as they work to strengthen cybersecurity defenses. But through that adoption teams have discovered that a) enterprise-grade tools are expensive; b) onboarding separate tools for separate functions creates a number of vendors that teams have to manage, and c) too many tools create too much noise. As-a-service options are the alternative for bootstrapped teams and with the cybersecurity industry leaning into 'as-a-service' offerings we see this trend continuing through '22.
BUT, teams need to exercise caution in onboarding too many as-a-service tools. While all tools serve an important purpose, there is no intersection point between them so it's tough to get a clear picture on the overall health of the business's data security. That lack of cohesion makes it tough to action as-a-service outputs, which defeats the purpose. Businesses subscribe to as-a-service offerings to help reduce their overall cyber risk, but unfortunately too much of a good thing with zero correlation can drive risk up.
Prediction #3: Automation nation.
We know that 85% of breaches happen as a result of human error and unfortunately that's because many teams continue to rely on manual processes when it comes to controls processes, systems configurations and data management. Even as IT and cybersecurity spend increases, many of the teams we talk to struggle to streamline processes and resource their teams appropriately. The good news is that midsized enterprises are getting behind process automation. Overall data security is a top motivator, but these organizations are also aiming for efficiency that will free up resources to focus on strategic work, instead of getting buried in the weeds.
Prediction #4: (Functional) data stewardship will formalize.
This one directly correlates to governance. Data privacy regulations boil down to understanding the custody of data and determining who's the owner, and who's the custodian. Knowing the difference between the two fundamentally changes the way we think about data. For years, personally identifiable information (PII) has been used as a blanket term to describe personal data. But the reality is that under that umbrella, there are many different types of PII, and varying degrees of sensitivity associated with each type. Having the ability to classify data by type is important not only when it comes to completing audits, but also for data protection. By knowing what types of data your organization has, you can properly rank and prioritize them according to risk.
Just like governance, expect to see greater conversation and pressure emerge around data stewardship. While critically important, successfully assigning and managing data stewardship is tough; businesses have data everywhere, most still rely on some level of manual data management processes and many haven't formalized governance programs. Coincidentally, companies will have to lean into prediction #2 (as-a-service) and #3 (automation) to support data stewardship.
Takeaways
The reality is that distributed systems, increased regulatory demands and the ever-changing threat landscape are driving next year's very connected themes. The legacy technology of yester-year (hardware, VPN, IDS systems) were designed to protect a traditional perimeter, but that perimeter no longer exists. As an end-user, the products and technologies that will make a difference will be those that understand that simplicity and functional consolidation is key.
As an IT professional you'll inevitably manage all or most of these four predictions. Seeking a solution that can stand up on its own, do what it's supposed to do and provide actionable outcomes that prevent data loss will ultimately help you overcome the pervasive cybersecurity themes of the coming year - and help you guard your stretched perimeters.
