Another year is over. What kind of mark is 2022 going to leave on the security industry? How will 2022 be remembered? Most importantly, how should our jobs change, and how should we react, based on this year’s developments?

The stories below are meant to capture the 2022 stories that are going to shape our industry going forward. You won’t find the biggest list of breaches for this year, instead we are capturing those stories that change our jobs, and our threat landscape for the foreseeable future. It’s worth taking some time to consider how these top stories will impact you and your security program in 2023. Big thanks to Shannon Lund for her help putting this together.

The 2022 Security Stories That Will Shape The Future

Cyber Insurance Premiums - By now we’ve all seen the massive premium increases for cybersecurity insurance. What began as a minor inconvenience has turned into a potential disruption of our security risk management strategies. According to insurance broker Marsh, cybersecurity premiums have increased at greater than 100% per year. Anecdotally, I have heard from numerous CISOs who have seen 3-5x increases on their policies when they have attempted to renew, and this trend has continued for multiple years. Combine that with lower coverage limits and more policy exclusions, it’s leading some CISOs and CFOs to consider whether cybersecurity is a worthwhile investment.

I suspect that if we continue to see premiums climb, every CISO is going to need to re-evaluate their cyber insurance strategy. The best answer is going to depend on the circumstances for your company, but consider your options, which I see as being:

• Find budget to maintain status quo
• Work with your CFO to consider self-insurance
• Eliminate cyber insurance and shift that spending to additional security investment to off-set the increased risk
• Eliminate cyber insurance and accept the additional risk.

It’s clear that the cybersecurity insurance market is going to continue to evolve, and that evolution will require a response from CISOs. Be ready for that discussion, and know your options.

Former Uber CISO Found Guilty - By now we’ve had a few months to sit with the guilty verdict in the case against former Uber CISO, Joe Sullivan. We covered this story in October, when he was found guilty of misprision of felony.  The insights are still relevant, so I’m including them below. When I think about 2022 stories that will change the nature of being a CISO in the future, this one floats near the top of the list. A CISO has been found guilty in federal court related to a security incident. This changes the risk calculus for all of us, and gives our profession an important (and scary) milestone.

This situation is hard to evaluate from the outside, without knowing all the facts. With that in mind, these comments are meant to cover the topic generally, not this case specifically. The conviction of a CISO could run the gamut of grave injustice, to a precedent that will improve our profession. Rather than take a position on where this situation falls, I take two key lessons from this situation:

1. The CISO must keep corporate leadership informed and involved in core decision making, and ensure there is a papertrail to support that. A decision made in isolation (or the perception that it was) can cause serious problems.
2. We need to create our own bright lines around acceptable behavior. Transparency with regulators and law enforcement is one clear requirement. Regardless of what decisions we make in running our programs, the consequences will likely be acceptable as long as we are honest about them.

Russia’s War in Ukraine - The February invasion of Ukraine by Russia, and subsequent months of battles throughout the country have given a view into what happens when an adversary with significant cyber capabilities enters into a shooting war. As Russia began their invasion, they launched a large set of supporting  cyber attacks, targeting numerous companies, countries and technologies. The direct impact of these attacks on the Ukrainian military seems to be minimal. This may be the result of exceptional defense on the part of the Ukrainians, poor execution by the Russians, or a combination of both.

Additionally, while creating havoc and disruption with cyber attacks may not have been successful, one can imagine that an effective cyber espionage campaign could be very effective. Infiltration of military and commercial networks with critical information about the war effort could be much more impactful than taking particular systems off-line. It brings to mind the Allies cracking Germany’s enigma machine during WWII, and that massive advantage that gave.

For those running security programs for enterprises, an especially important learning from this is that even though Russia’s cyber operations failed to offer significant advantages over Ukraine, it was still impactful globally. This started with the successful attack against Viasat as the Russian invasion began on February 24th, which knocked many military, commercial and residential users off the internet, including wind farms throughout central Europe. In October, we saw hacktivists take down numerous US government and pseudo-government websites, in a presumed act of support for the Russian objectives in Ukraine.  Throughout the war, the US government has issued numerous bulletins and guidelines for US agencies and companies to follow, to mitigate the impact of expected attacks. While the cyber ramifications of the war have been less than feared, the trend indicates the types of attacks that we can expect during modern warfare.

Cybersecurity is the Biggest Risk for Companies - The Allianz Risk Barometer is an annual measure of the top risks that CEO’s, risk managers and insurance experts are most concerned about. Cyber incidents ranked as the top risk this year, with 44% of those surveyed including it as a top concern. Interestingly, the number 2 risk (at 42%) is “Business interruption,” which is tightly coupled with cyber resiliency. The primary driver for Cyber Incidents leading the way is the growing impact of ransomware. While it does not appear that compliance or data confidentiality was enough to bring security to the top of the list, seeing many competitors taken out of commission by ransomware seems to have done the trick.

This increased focus on cybersecurity will continue the trend of Boards of Directors looking for business-minded CISOs to explain how their activities are protecting the company from being taken offline by attackers. This is the time for us to invest in essentials like effective (and well-tested) backups, and effectively operated detection and response capabilities.