What can data security and privacy leaders expect from the year ahead? How will key trends shape the industry? Our team looks at three key trends that will impact security and privacy in 2022, and what leaders can do to get ahead of the curve.

Trust must be earned 

Trust is a brand’s most important commodity, but in an era of surveillance capitalism and increasing cybersecurity threats (such as ransomware attacks which spiked in 2021), trust is limited on all sides.  

The old adage of “trust but verify” no longer works when your assets are in the cloud and harder to protect than when they were in a physical location. We’re now in a security era of “zero trust” where there is no trust by default. It’s not realistic to trust that people won’t click on a phishing email, or that the third parties we work with will be 100% secure. Trust needs to be won and demonstrable. 

In 2022 we will see consumers double down on authenticity and demand greater transparency about the use of their digital data and how companies apply security controls. Trust will be more important and at more of a premium than ever. Investment in resources, effort, and most importantly deep thought will be necessary for companies to build and sustain it. 

Data security and privacy leaders must respond with objectivity, consistent diligence for third-parties, and relentless attention to security foundations. Leaders should also connect compliance to customer needs, demonstrate hard-earned security and privacy standards openly, and clearly communicate their efforts with customers.

Going forward, we’ll see more dedicated security and privacy areas and events on company websites (such as Slack’s) which explain their approach to security and data compliance in plain language, with the leaders as part of the public face of the message. Larger companies will go further to connect privacy and security to the ethics of the ESG agenda, with greater adoption of benchmarks and new standards for transparency (such as Edelman’s trust barometer) to assure customers and stakeholders. 

Connected domains; deeper collaboration

Data security and privacy are rapidly evolving, expert domains; however, with deep specialism comes the challenge of silos. 

With the rise of collaborative cybercriminal business models such as malware-as-a-service which see the bad guys working together with increased sophistication, it is important for the security community to work together and share threat intelligence knowledge. 

Throughout 2022 and beyond, we will see data security, privacy, risk, and data governance programs converge to break out of their silos. We can expect knowledge sharing to increase between companies; however, we anticipate that confidentiality restrictions will continue to make it a challenge in the traditional enterprise. 

Leaders can drive the trend for deeper collaboration by building their networks and connections to privacy and security communities, and internally by aligning privacy and Information Security programs, sharing risk approaches, running joint data breach simulations, and collaborating on budget for an aligned program up to the board. 

Democratizing the domains

Having critical domain knowledge owned by the few is unsustainable. The war on talent for security and privacy leaders has intensified. There simply aren’t enough people with the necessary skills and knowledge to meet the demand.

The nature of data security and privacy is such that they are inherently holistic domains—cutting across people, operational processes, suppliers, and infrastructure. This demands a collective response from the organization. It requires a shared understanding, based on knowledge transfer, and a gearing up of capabilities across teams. Robust data security and compliance relies on a strong, horizontal organizational design where team roles and responsibilities are clear.

In cloud native companies, we have already seen the shift towards the adoption of DevSecOps and Security by Design principles. Security embeds with engineering’s agile process, rather than abstracting up to the CISO level and leaving requirements as an afterthought.

In 2022, this by design trend will spread out from cloud companies to wider standard practice to bake in security and privacy requirements into every part of product design. We’ll see the security and privacy engineer roles go mainstream, with increased pressure to retrain for these roles as competition for talent heats up. We can also expect to see education programs innovate beyond the standard ‘GDPR’ or ‘cyber 101’ courses towards applied learning as company leaders recognize the value of building a pragmatic, capable team. 

Leaders can get ahead by refreshing their training and awareness programs, and finding new ways to engage, share learning, find a common language and build bespoke materials that work for hybrid working environments. The focus should move beyond building privacy and security champions, towards real ownership and solutions at source. Practical learning and toolkits should be prioritized, so that the burden of privacy and security can increasingly become a genuine team sport. 

Data security and privacy are now inherent to technology businesses, and can only become more so as the ever-expanding threat environment becomes more demanding, and the regulatory landscape more complex. And at the same time, citizens demand greater openness from both governments and of big tech regarding how their data is used and protected. Leaders should respond with greater collaboration, real transparency, baking security requirements into designs, and more proactive knowledge sharing than ever before.