From a funding standpoint, 2021 was a banner year for cybersecurity startups. Through Q3 alone, new companies netted more than $14 billion in venture capital investments, nearly doubling the record of $7.8 billion in 2020. The need for stronger security has also appealed to, among others, the federal government. Last August, President Joe Biden hosted a cybersecurity summit urging leaders from a number of tech giants to step up their security efforts. In addition, the proposed $1 trillion infrastructure bill includes $2 billion earmarked to improve a wide range of cybersecurity systems.
The financial and legislative interests in cybersecurity seem to indicate that cybersecurity budgets are expanding. This line of reasoning aligns with conversations I’ve had with business executives and thought leaders. The big question is: Where should expanded security investments go?
I believe that in 2022, companies should follow a cybersecurity investment blueprint based on emerging challenges in the coming year. Broadly speaking, that blueprint should incorporate three distinct phases: plan, prepare and protect.
Phase I: Plan
A cybersecurity project is complex, so it is best to set out goals — aspirational, in some cases — before embarking on the journey. Here are a couple of initiatives that can set the tone:
- Consolidate cybersecurity solutions. Reducing cybersecurity complexity lowers an organization’s risk footprint. For example, data masking, tokenization and encryption solutions were traditionally developed in independent silos. Consider transitioning to a single data transformation approach that relies on a unified key management source to reduce the risk of misconfiguration and ease data management. Identity management is another area where new cloud-based solutions accessed by APIs can help consolidate sprawl and unify access control of sensitive data.
- Reduce cybersecurity supply chain risk. We’re currently experiencing a historic supply chain slowdown in the physical world. Cybersecurity is suffering from its own supply chain crisis in which code used for critical infrastructure has inherent vulnerabilities based on its lineage from open-source projects. A thorough audit and penetration testing exercise can identify vulnerabilities that need to be addressed as soon as possible. Doing so can help protect against hackers who are getting more sophisticated by the day.
Phase II: Prepare
The next phase is to take concrete, tactical steps to identify critical assets and develop policies to protect them. Consider the following suggestions:
- Employ data discovery and use determination tactics. The first step to protecting data is to identify where it is coming from and stored. Next, assign a sensitivity score to the data based on compliance mandates. Finally, determine how that data is processed downstream. Privacy regulations require that any data collected have a purpose associated with it, so it is vital to identify its use. Any data stored without a use justification should be destroyed to reduce the risk of unnecessarily keeping it.
- Prepare for privacy regulations. While the U.S. still does not have a national privacy referendum like the EU’s GDPR, some states have enacted more stringent consumer privacy regulations that businesses will have to prepare for in the coming year. On Jan. 1, 2023, the California Privacy Rights Act (CPRA) — perhaps the most comprehensive state privacy law — will go into effect, along with Virginia’s Consumer Data Protection Act (CDPA). It is safe to assume that forward-looking companies based in or doing business with customers in those states should be working diligently over the coming 12 months to ensure they have the appropriate infrastructure in place to comply. To that end, all businesses that collect consumer data should begin to take the necessary steps to protect it more responsibly. Preparing now should make compliance easier once a law is in place.
Phase III: Protect
Finally, the most critical phase is to protect that data. These tactics can help do just that.
- Protect the data analytics pipeline. The world changed in a single year — forcing organizations to adjust how they worked, reprioritize products they offered (and how they offered them) and rethink their target markets. These pivots resulted in the collection of entirely new datasets about their customers’ behavior, representing a veritable gold mine that organizations cannot wait to get their hands on. However, before the data can go to the cloud to be analyzed, it must be protected. The outcome of the “prepare” task around data discovery and classification will drive the transformation of that data by masking, tokenizing or encrypting it with an appropriate access policy. Many organizations will increase cloud data protection investments and more quickly apply data for market-differentiating insight to accelerate data analytics.
- Address the cybersecurity talent gap. According to a recent study by the Information Systems Security Association, 95% of cybersecurity professionals feel the industry’s skills shortage has not improved in recent years, and 44% feel it is getting worse. With so many organizations quickly moving to the cloud, there is a steep learning curve that can increase the risk of compromises without the proper talent.
Some jobs require a human touch, and expanded education around those tasks can create opportunities for current employees and attract top talent from outside the company. Organizations can also save resources without compromising security by implementing automated solutions for jobs in which human skill is less necessary. Additionally, automation can take many tasks off employees’ plates, reducing stress and increasing job satisfaction.
The motivations for protecting data and the methods employed to do so continue to change. It will be interesting to see how organizations address emerging challenges and if their investments pay off. One thing is certain — solid cybersecurity policies and practices will always be essential for every size company in every vertical market.