Gartner: 7 Security and Risk Management Trends for 2022

lock icons over hands on laptop keyboard

Security and risk management in higher education and other sectors has become increasingly complex, thanks to the ever-expanding digital footprint of modern organizations, according to research firm Gartner. "The pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise — all while dealing with a shortage of skilled security staff," noted Research Vice President Peter Firstbrook. That's a difficult position from which to defend an institution against new and emerging threats.

In a recent report, Gartner outlined seven trends impacting cybersecurity and risk management practices in the coming year. The trends build on and reinforce one another, Firstbrook said: "Taken together, they will help CISOs evolve their roles to meet future security and risk management challenges and continue elevating their standing within their organizations." Following are key areas to watch and how institutions can adapt their security approaches in response to evolving needs.

1) Attack surface expansion. The use of cyber-physical systems (technologies that utilize sensing, computation, control, networking and analytics to interact with the physical world) and the Internet of Things, open source code, cloud applications, social media and more has resulted in a wider range of security exposures, Gartner said. "Organizations must look beyond traditional approaches to security monitoring, detection and response," the report advised. "Digital risk protection services (DRPS), external attack surface management (EASM) technologies and cyber asset attack surface management (CAASM) will support CISOs in visualizing internal and external business systems, automating the discovery of security coverage gaps."  

2) Digital supply chain risk. By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, according to a Gartner prediction. "Digital supply chain risks demand new mitigation approaches that involve more deliberate risk-based vendor/partner segmentation and scoring, requests for evidence of security controls and secure best practices, a shift to resilience-based thinking and efforts to get ahead of forthcoming regulations," the report said.

3) Identity threat detection and response. "Credential misuse is now a primary attack vector," Gartner said. The research firm uses the term "identity threat detection and response," or ITDR, to describe the tools and best practices needed to defend identity systems. "Organizations have spent considerable effort improving [identity and access management] capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure," Firstbrook pointed out. "ITDR tools can help protect identity systems, detect when they are compromised and enable efficient remediation."

4) Distributing decisions. "The scope, scale and complexity of digital business makes it necessary to distribute cybersecurity decisions, responsibility and accountability across the organization units and away from a centralized function," Gartner said. As a result, the role of a cybersecurity leader must evolve from sole decision-maker to more of a facilitator. "By 2025, a single, centralized cybersecurity function will not be agile enough to meet the needs of digital organizations," Firstbrook said. "CISOs must reconceptualize their responsibility matrix to empower Boards of Directors, CEOs and other business leaders to make their own informed risk decisions."

5) Beyond awareness. Traditional, compliance-centric approaches to security awareness training are ineffective, Gartner said. Instead, the company advised investing in "holistic security behavior and culture programs," which focus on "fostering new ways of thinking and embedding new behavior with the intent to provoke more secure ways of working across the organization."

6) Vendor consolidation. The need to reduce complexity and administrative overhead while increasing effectiveness is driving convergence in security technologies, Gartner said. For example, for many organizations, cloud-delivered secure web gateway, cloud access security broker, zero trust network access and branch office firewall-as-a-service capabilities might all be provided by the same vendor. "Consolidation of security functions will lower total cost of ownership and improve operational efficiency in the long term, leading to better overall security," Gartner asserted.

7) Cybersecurity mesh. "A cybersecurity mesh architecture (CSMA) helps provide a common, integrated security structure and posture to secure all assets, whether they're on-premises, in data centers or in the cloud," Gartner explained. This is important in defining consistent security policies, enabling workflows and exchanging data among security solutions.

The full report is available to Gartner clients here.

About the Author

Rhea Kelly is editor in chief for Campus Technology, THE Journal, and Spaces4Learning. She can be reached at [email protected].

Featured

  • abstract illustration of a glowing AI-themed bar graph on a dark digital background with circuit patterns

    Stanford 2025 AI Index Reveals Surge in Adoption, Investment, and Global Impact as Trust and Regulation Lag Behind

    Stanford University's Institute for Human-Centered Artificial Intelligence (HAI) has released its AI Index Report 2025, measuring AI's diverse impacts over the past year.

  • modern college building with circuit and brain motifs

    Anthropic Launches Claude for Education

    Anthropic has announced a version of its Claude AI assistant tailored for higher education institutions. Claude for Education "gives academic institutions secure, reliable AI access for their entire community," the company said, to enable colleges and universities to develop and implement AI-enabled approaches across teaching, learning, and administration.

  • lightbulb

    Call for Speakers Now Open for Tech Tactics in Education: Overcoming Roadblocks to Innovation

    The annual virtual conference from the producers of Campus Technology and THE Journal will return on September 25, 2025, with a focus on emerging trends in cybersecurity, data privacy, AI implementation, IT leadership, building resilience, and more.

  • From Fire TV to Signage Stick: University of Utah's Digital Signage Evolution

    Jake Sorensen, who oversees sponsorship and advertising and Student Media in Auxiliary Business Development at the University of Utah, has navigated the digital signage landscape for nearly 15 years. He was managing hundreds of devices on campus that were incompatible with digital signage requirements and needed a solution that was reliable and lowered labor costs. The Amazon Signage Stick, specifically engineered for digital signage applications, gave him the stability and design functionality the University of Utah needed, along with the assurance of long-term support.