5 priorities for CISOs to regain much needed balance in 2022

Nearly 9 out of 10 CISOs say their existing systems secured their enterprise through a shift to remote work, an ongoing labor shortage, and a huge spike in cybersecurity attacks. But that success came with a price: 64% say they’re more stressed out than they were a year ago. 

How can CISOs navigate a new set of challenges in 2022, while also regaining some much needed balance? 

We asked CISOs, security practitioners, and other experts where security leaders should be investing their time, energy, and resources in the year ahead. Here are five areas across workforce, tools, and methodology that they say should be priorities in the new year.

1. Secure your hybrid workforce

The transition into long-term hybrid work environments presents security challenges that few enterprises have encountered, says Katie Teitler, vice president of research at TAG Cyber, a cybersecurity research firm.

“In 2021, it was all about securing remote work,” Teitler says. “Hybrid work is a different paradigm. CISOs have to balance worker productivity with security in a way we’ve never seen.”

If 2021 focused on security fundamentals, 2022 will be the year of identifying opportunities for improvement, with security pros becoming more adept at tactics and processes for ensuring every device is locked down. Security chiefs will need to manage access and establish governance for a constantly changing mix of in-office and at-home employees using personal and company devices — some of which escaped important software patches and updates during the pandemic.

For many organizations, that means investing more in cloud-based extended detection and response, or XDR, which combines security information and event management (SIEM) with endpoint detection and response (EDR), analytics and intelligence, and identity and access management tools.

A hybrid workforce in 2022, Teitler adds, “will mean supporting more different and disparate types of technologies and access requirements.”

2. Embrace Zero Trust frameworks

President Joe Biden’s May 2021 executive order calling for improvements in national cybersecurity cited Zero Trust, a security methodology and framework built around the idea that no traffic on enterprise networks should be trusted, even if it’s generated by authenticated users.

The Zero Trust security framework is becoming an essential tool in the CISO’s arsenal, as it forces teams to rethink the way network access works and more closely scrutinize the products they rely upon.

In 2022, experts say, security teams must better understand Zero Trust methodologies and products and be ready to implement them. Many of them got a head start during the pandemic: The crisis prompted 60% of enterprises to accelerate their adoption of Zero Trust.

“Zero Trust is the opposite of the old proverb, ‘trust, but verify,’” says Nate Fick, general manager of security at Elastic. “It’s a risk management approach that translates to ‘trust nothing and record everything.’ With Zero Trust, security can become an enabler that allows smarter access to systems and data while delivering a greater level of protection.”

3. Automate security workflows

As security systems become more complex, human analysts can’t keep tabs on current and potential threats at all times. That means an increased reliance on robotic process automation (RPA) and other tools to automate workflows of rote tasks.

“Automation should free up some of the security team’s time to focus on higher level analysis,” says Teitler.

For security organizations that rely on Zero Trust frameworks, automation tools can also handle routine issues on their own and escalate only those incidents that require human intervention — returning time to overburdened security analysts to focus on higher-level threats.

4. Commit to upskilling your team

It’s a good time to re-evaluate the skills on your security team and identify gaps — and not just technical ones. Developing and strengthening business acumen and soft skills now fall squarely on the shoulders of security leaders.

For Liz Tluchowski, CIO and CISO of World Insurance Associates, a New Jersey–based insurance brokerage with 1,400 employees and 131 offices across the US, helping her security team deepen its business analytics skills and communication strategies is a top priority in the coming year. As security professionals become a core part of the management team, they must understand the entire business process and be able to explain where their work fits in.

CISOs must also invest in building an organization-wide security culture. The most common cyberattacks, after all, aren’t caused by technical failings but result from social engineering or phishing exploits that take advantage of human error or oversight.

“Security professionals must learn to translate the arcana of their work into the language of business risk,” Fick says. But it’s also important that business leaders invest time in understanding the language of security too. “Good management teams and boards must meet in the middle,” he added.

5. Don’t let your team (or yourself) burn out

If there’s one other priority CISOs shouldn’t lose sight of heading into 2022, it’s preserving better work-life balance — not just for their teams, but for themselves. Before COVID-19 sent them scrambling to manage cyber risks from home, the average enterprise security operations team chased down more than 110,000 security alerts each day, according to a 2020 Forrester study; less than half (47%) were able to keep up.

As leaders focus on developing successful hybrid team models, they need to ensure that everyone gets sufficient time away from work.

While major challenges lie ahead in 2022, smart CISOs can already look to the future as they think about solutions to these emerging issues. By embracing emerging security strategies like Zero Trust and improving automation tactics, they’ll be better positioned to support the demands of a new hybrid workforce.