2022 could bring OT weaponization, ransomware laws, Gartner says

Gartner's security predictions for 2020 and 2021 hardly resembled those made for 2019. The basics, however, remain a constant through 2022.

In fact, cybersecurity basics — system protection, user controls, security infrastructure and information handling — are the foundation for what companies should expect in the next year.

"We're falling into this old habit of trying to treat everything that we do the same that we did in the past," said Sam Olyaei, director analyst at Gartner, during the virtual Gartner IT Symposium/Xpo Wednesday.

Organizations are "implementing controls the same way we implemented controls five years ago. We're investing in technology the same way we invested in prerogatives five years ago … and this simply cannot continue," he said.

The pandemic pushed the fast forward button for digital transformation in many companies, yet the security needed for cloud-based instances and workloads are still lacking.

Here are Gartner's eight cybersecurity predictions for 2022:

Global privacy laws will expand

From the EU's General Data Protection Regulation (GDPR) to the California Consumer Privacy Act, consumer privacy regulation has increased dramatically. "This should not come as a surprise to many of you," Olyaei said. "We think that many of these regulations will have a flavor of GDPR instilled in them."

Gartner expects 75% of the world's population to have data privacy protection because of legislation by 2023. Depending on a company's jurisdiction, leaders might have to patch together different laws, and the requests their customers make.

To get a handle on data requests and compliance, "you're going to have to increase the adoption of automation," Olyaei said. To get ahead of impending legislation, Gartner recommends using GDPR principles as a foundational standard, and then adjust accordingly.

"That should be a sound strategy for many leaders today. We also think that you should take advantage of some of the privacy enhancing computation techniques that are available to you," Olyaei said.

Cybersecurity mesh architecture will be adopted

Gartner anticipates the adoption of mesh architecture will cut the cost of security incidents by 90% by 2024.

Mesh architecture is a design "many organizations will have and will adopt as a result of the variety of technologies and silos that they have," Olyaei said. "This is an effort to optimize your technologies to make sure that each tool is talking to the other, each log is feeding back into the other," to orchestrate the environment. The mesh architecture will help provide a more holistic view of a company's cybersecurity.

The architecture is designed to include identities outside a company's perimeter, and it forces companies to define explicit access authorizations for secure remote work. "We also ask that you look at access management solutions that have strong adaptive access controls for zero trust purposes," Olyaei said.

Products and solutions will consolidate

Nearly one-third of enterprises will adopt cloud-delivered secure web gateway, cloud access security brokers, zero trust network access technologies, and firewall as a service capabilities all from the same vendor by 2024, Gartner predicts.

"This is along this theme of optimization and consolidation. Many of you leaders have told us that the average number of security tools in your environment [is] 30, 40 and 50. Many of you want to consolidate to less than 10," Olyaei said.

Not only will SaaS adoption continue to increase, hardware refresh cycles will be impacted as the cloud slowly overhauls legacy technology. Companies will need up-to-date inventory of equipment and contracts to slowly replace legacy solutions. Throughout this process, leaders must keep zero trust principles in mind for all users and applications.

"Vendor consolidation is top of mind due to technology overload, and more importantly, the information overload that these technologies provide," he said. "When was the last time you pulled reports from your technologies and tried to make sense of it?"

Cybersecurity will be a dominant consideration in third-party risk

Gartner expects 60% of organizations to use cybersecurity risk as a primary determinant in third-party business transactions by 2025. Transactions include mergers and acquisitions, vendors, or investments. Companies have to bring security leaders in before due diligence is completed during M&A.

"Many of you will have hundreds of suppliers and vendors that you deal with. Many of you don't know what types of sensitive data these vendors and suppliers and others have access to," Olyaei said. Venture capitalists in particular use cyber risk as a determinant in investing.

Companies cannot afford security to be an afterthought when working with a third party, which means transactional decisions will demand everyone's attention — they cannot happen siloed in departments.

"Today, security decisions are not just made by the security team or by the IT team; the product managers are making decisions about security, marketing is making decisions about security, chief financial officers make decisions about security," Olyaei said. Companies will need to adopt a third-party assurance program, which focuses on risk assessments, ratings or certifications.

Still, transactions will always leave unknown risks. "As a leader, this is where your profile comes to the forefront: You have to make decisions with the incomplete data that you have," he said.

Ransomware-related regulations will pass

One in three nation states will adopt regulations for ransomware payments, fines and negotiations through 2025, according to Gartner. Currently, just 1% of nation states have such rules in place.

"The implications for you are pretty interesting and important," Olyaei said.

Based on the different models ransomware gangs rely on and the negotiations companies participate in, Gartner sees companies prolonging disruption times based on their lack of access to cryptocurrency. If a company does decide to pay a ransom, "you may break laws that you're unaware of," Olyaei said, or invite repeat ransom attacks.

"We always recommend not to engage with rogue and threat actors, however, we recognize that that's not always feasible," Olyaei said. "Don't do this on your own." Instead, engage relevant stakeholders, insurers, or third-party negotiators.

Boards will add cybersecurity committees

Following the SolarWinds hack, the company adopted a cyber-specific committee to its board. Gartner expects other companies to follow suit. By 2025, 40% of board of directors will have a cybersecurity committee, overseen by a qualified board member.

"We're not talking about your audit and risk committee. We're not talking about your technology committee," Olyaei said. Security leaders will have to get accustomed to stricter oversight and scrutiny from their boards.

"The most important and interesting implication is, there's not going to be a one size fits all approach to board reporting," he said. "Your reporting technique and communication tactic has to shift based on the board members profile."

CEOs will call for a resilient culture

Resilience is something companies have to practice, regardless of the crisis — cyber, weather, or geopolitics. "We're now past the concept of cybersecurity. And we're now looking at organizational resilience as a whole," Olyaei said.

Gartner expects 70% of CEOs to mandate a culture of resilience into their organizations by 2025. Not only will this impact a company's internal security strategy, it will also affect how it produces its goods. "You'll have to reinvent the pipeline," said Olyaei. It's not dissimilar to the changes SolarWinds made to its software build cycle following the attack against its systems.

Companies will have to make a resilience team that works across departments to define goals. A culture of resilience will require collaboration among business continuity management and non-technical experts.

OT will be weaponized in the most harmful way

By 2025, Gartner anticipates threat actors to successfully weaponize OT which results in human casualties. "In some instances, this prediction is already proven to be either true or on track to be true," Olyaei said.

IT and OT environments identify malware very differently. Companies that operate both have to educate their OT engineers with an IT-like mindset. "If there's an issue that occurs in information security centric environments, the worst case that can happen is you lose a few data records, and you get fined by a regulatory agency," Olyaei said. In an OT environment, "you're now looking at safety concerns."

Cyber-related business disruption will no longer be the primacy focus in response, it will be bodily harm. "This ultimately will boil down to regulatory reaction. We believe that regulatory reaction will likely place liability on the CEOs," Olyaei said.

To avoid an OT security incident, Gartner recommends companies review their resourcing profile to check the management systems of cyber-physical systems. Up-to-date asset inventory is crucial to account for the IoT or platforms added to an environment.