Gary Robinson, CSO at Uleska offers his predictions for the cybersecurity sector as we enter 2022.
Looking back on 2021, it is fair to say it has been another memorable year for the cybersecurity industry. Yes, we have witnessed a lot of damage and devastating cyberattacks, but great things have also happened. Today, we are seeing the wide scale adoption of DevSecOps, where organisations are ‘shifting left’ and introducing security into early development cycles, making products and applications safer for everyone.
We have also seen the government hammer down on cybercriminals like never before, with some of the most notorious gangs being brought to justice. As cyberattacks continue to take down major organisations, defending against attackers has also become a number one priority, with cybersecurity spending reaching an all-time high in 2021.
This shows that cybersecurity has moved from the niche to the mainstream and fighting back against attackers is top of the agenda for all organisations. So, what are the key trends we can expect to see impacting the security industry in the next year?
Here are Uleska’s predictions on the key themes that will have the biggest impact on DevSecOps, vulnerabilities and supply chain security in 2022, and beyond…
DevSecOps
· There will be a large increase in the number of ‘DevSecOps’ job roles in 2022, with the need for security skills combined with DevOps and automation being in high demand. The role of the security engineer is going to change over the next few years, from focusing on running security tools and penetration tests, to a shift-left focus of integrating security checks into their DevOps automation.
· The number of tools used by software and security teams is going to grow in 2022, as teams continue the move to Cloud, Infrastructure-as-code, Containers, etc, they’ll need more checks in their pipelines, on top of the usual static and dynamic analysis. Security teams are also going to start being measured and rewarded not just on the number of issues discovered, but also on the efficiency of how they are discovered, and the time it takes to fix them. We should also expect to see a change in how security issues are triaged, due to increased shift-left and automation. Better tech will help teams remove false positives, duplicates, and non-issues automatically.
· In the next few years, the majority of companies will be using software security automation, due to increased regulation and drivers such as the Biden Executive Order demanding software is security tested before release. There will also be a move to focus products to be used within automation, instead of expecting a security specialist to be sitting at the screen.
· In the next 2-3 years there will be a focus on ‘just-in-time’ security training for development teams. As security issues are found in the course of their job, there will be a need for short, focused advice or training on how to fix these issues quickly. There’s too many security issues to learn all at once, so this focused ‘just-in-time’ way of learning will both increase security education and shorten ‘time-to-fix’ timelines.
· Over the next 3-5 years security tools are going to be easier to use. Previously you needed to study the security tools to know how to use them, and many times they didn’t lend themselves to automation. Going forward, tool creators are realising their tool won’t be sitting in front of an expert, but will be wrapped into a security tool chain and they will learn from this insight to make them easier to use and easier to incorporate with other tools.
Vulnerabilities
· In 2021 many non-IT organisations were forced to digitally transform their businesses so they could continue to operate during the pandemic amid the various stay at home orders. Digital transformation will continue to excel in 2022, but these organisations will now need to examine how they can keep these IT systems running securely, often without dedicated IT or security personnel or budget. Ransomware and other breaches now have a much wider scope of organisations to attack and those that don’t take the steps to protect their networks will be at the highest risk. Patching and vulnerability management as well as staff education are going to be some of the most critical defences.
· Updates to the OWASP Top 10 in 2021 will feed into 2022, with an increased focus on the security design of software systems, and how they are built. We’ve seen an increasing number of attacks against the methodology of how systems are built, from breaching the build-release toolchain, to typosquatting popular software libraries and attacking the open-source supply chain.
Supply Chain
· In 2022 we will see an increase in the number of companies requesting SBOMs (Security Bill of Materials), which digitally list all of the components used in the make-up of their software products, from their suppliers, along with associated security assurance. Organisations will also move to Continual Security Assurance where suppliers will be required to provide up-to-date security reports. No longer will a security report from six months ago satisfy security concerns of an update delivered yesterday. This gap in security directly relates to the company’s own security assurance, and suppliers will need to catch up.
· We see no let-up in the rate of open-source usage, however in 2022 we expect to see a strong uptake of the regular assurance of a company’s use of open source. With so many commercial and open-source tools and services out there to check open-source dependencies, this will become a natural part of supply chain security.
· In the next 2-3 years, we’ll see industries who don’t have strong regulations need to drive towards security. Traditionally heavily regulated verticals like Financial Services and Healthcare have led the way in adopting security practices, but with the pandemic driving the business criticality of online services, other industries such as transport, retail, and utilities will see a marked increase in their need for security.
