Security leaders must practice greater resilience and evolve strategies to protect an expanding digital footprint against emerging threats, according to a new Gartner report.

Image: iStock/KrulUA

Gartner has identified digital supply chain risk as a new security threat and one of its top seven security and risk management trends for 2022. Increasingly, there are products in the digital supply chain that companies rely upon that are the “unsung core components holding up our digital operations,” said Peter Firstbrook, research vice president at Gartner.

When an underlying component of a third-party app a company uses has a critical vulnerability, they are not responsible for its maintenance, so there are underlying dependencies that are out of their control, Firstbrook said, referencing the SolarWinds breach and Log4j attack. That can lead to “cascading failure.”

Attacks on the digital supply chain can yield a high return on investment for cybercriminals, Firstbrook said. As more vulnerabilities spread through the supply chain, more threats are expected to emerge. In fact, Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a threefold increase from 2021.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

Digital supply chain risks demand new mitigation approaches that involve more deliberate risk-based vendor/partner segmentation and scoring, requests for evidence of security controls and secure best practices. Much like protecting a physical supply chain, one key best practice is shifting to resilience-based thinking by assessing critical infrastructure and having a Plan B so a company can keep operating, Firstbrook said.

Identity threat detection and response is among the other six top security and risk management trends for 2022. In 2021, identity as the new security perimeter was one of Gartner’s top security and risk management trends. Now, Gartner is building that out and introducing the term “identity threat detection and response” to describe the collection of tools and best practices to defend identity systems.

Sophisticated threat actors are actively targeting identity and access management infrastructure, and credential misuse is now a primary attack vector, according to Firstbrook.

“Organizations have spent considerable effort improving IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure,” he said. “ITDR tools can help protect identity systems, detect when they are compromised and enable efficient remediation.”

SEE: Hiring Kit: Cloud Engineer (TechRepublic Premium)

Another notable trend for 2022 is that the CISO role must be expanded and distributed across business units because enterprise cybersecurity needs and expectations are maturing, and executives require more agile security amid an expanding attack surface.

“The CISO role has moved from a technical subject matter expert to that of an executive risk manager,” Firstbrook said. “By 2025, a single, centralized cybersecurity function will not be agile enough to meet the needs of digital organizations. CISOs must reconceptualize their responsibility matrix to empower boards of directors, CEOs and other business leaders to make their own informed risk decisions.”

Security is now everyone’s responsibility, he said.

The full list of the top security and management risks for 2022 is:

  • Attack surface expansion
  • Digital supply chain risk
  • Identity threat detection and response
  • Distributing decisions
  • Beyond awareness
  • Vendor consolidation
  • Cybersecurity mesh

However, every organization is at a different stage of security maturity, “so no organization should take on all seven trends,’’ but instead, focus on where there are gaps, Firstbrook said.

If they can only pick one to tackle, Firstbrook didn’t hesitate: “It would absolutely be identity threat detection and response,’’ because organizations must be aware their identity system is under attack, he stressed. Often, hackers will come onto the network with a fake identity “and then they’re invisible,” Firstbrook said. “No alarm bells go off if they’re a credentialed user. They hide in noise.”

The challenge is that identity is not a single system. “It’s not as simple as endpoint detection … in the identity world there’s no single solution; there’s lots of processes, configurations and tools across the board that people have to focus on. Attackers are using a lack of attention on the identity infrastructure as a way to get in.”