Among my three cybersecurity predictions for 2022, the one that I am optimistic about is cybersecurity getting more mindshare in the boardroom. Expect to see cybersecurity-focused board members taking an active role in understanding the organization’s cybersecurity posture, including requests for additional metrics and frequent board updates. Here are my three predictions:
By Sriram Tarikere, Senior Director with Alvarez & Marsal’s Global Cyber Risk Services in New York
1. Ransomware threats will continue to evolve. Ransomware threats will continue to dominate the rest of 2021 and into 2022. Cyberthreats actors will continue to get creative, and their attacks will become more sophisticated to ensure that the organizations cannot recover normal business operations without paying the ransom. In a shift from a single group managing the full attack life cycle, threat actors will form specialized groups to gain access into organizations that then sell that access to ransomware operators. The malware deployed by these groups will not be limited to one single vulnerability; rather, the malware will dynamically modify and adapt to the wide range of vulnerabilities available for corporate IT as well as operation technology (OT) systems.
2. Cybersecurity enters the boardroom: Cybersecurity will be on the top of mind for the Board of Directors and Executive leadership teams. Expect to see cybersecurity-focused board members taking an active role in understanding the organization’s cybersecurity posture, including requests for additional metrics and frequent board updates. This is due to the regulatory pressure from agencies like Federal Trade Commission (FTC) and Security Exchange Commission (SEC) that have made strong statements on enforcement against organizations failing to protect customer data. Gartner predicts that by 2025, about 40% of the Boards will either have dedicated cybersecurity committees or have qualified board members focused on cybersecurity overseeing organizations’ cybersecurity maturity, up from less than 10% today.
3. Heightened scrutiny by cyber insurance companies on organizations’ cyber hygiene: Cyber liability insurance is a type of business insurance that organizations acquire to cover the losses, penalties, and other liabilities associated with cyberattacks and data breaches. Considering that ransomware incidents are becoming more prevalent, it is reported that the insurance claims and payouts are exceeding the premiums being paid. As a result, cyber insurance companies will enhance their due diligence and start performing a comprehensive assessment of the organizations’ cyber hygiene and security posture when issuing or renewing the policies. We can also expect to see cyber insurance premiums increasing exponentially and, in some cases, cyber insurance providers excluding ransomware coverage when issuing or renewing the policies.
About the Author
Sriram Tarikere has over 15 years of experience in executing cybersecurity and privacy risk assessments, ranging from very detailed ISO 27001/NIST, HIPAA, PCIDSS and Risk Quantification assessments, to technical cloud and blockchain secure design and architecture reviews, application and network security assessments, red teaming, threat hunting and social engineering exercises. He has led and coordinated incident response and forensic investigation efforts for some of the largest and high-profile breaches in the recent past. He also advises clients on some of the most complex cybersecurity initiatives and acts as a trusted security adviser to organizations, C-Suite and board members.
Tarikere earned a master’s degree in computer sciences/cybersecurity from New York University. He holds the Chief Information Security Officer (CISO) certificate. He is a CISSP, PCI-QSA, GWAPT, GCIH and ISO 27001 Lead Auditor.