This post was contributed by Michael Cote, Senior Solutions Engineer at TrustMAPP.

As we cross the threshold from 2021 into 2022, companies across the globe will be addressing the tradition of deciding where it’s best to reinvest their limited funding and efficiently utilize the dollars they have available. Companies need to take into consideration the following: where they are today, what areas need the resources to shore up their current capabilities, then decide where they need to go from that point. From an InfoSec standpoint, assessing each department’s security strengths and weaknesses will uncover those areas needing the most attention. Once that is determined, the company can then address the direction in which leadership has chosen to go and how to obtain the things needed to get them to their next set of goals.

The marketplace is not lacking in articles and suggestions on improving cybersecurity posture. The leadership of every company is different, and the approach taken by the CTO, CISO, CFO, et al of each company will be different from one other. A consensus on direction must occur among the leadership. That will then dictate the approach taken and the resources required to take that approach.

When presented with the varied directions a company can take to improve their cybersecurity program, what will convince them to take one path over another? Progress in technology is certainly one of the things to consider. Depending on the size of the company, technological prowess is more available to those organizations with deeper pockets. That one factor alone can be a separating force between the large capital companies and the SMB’s. Could there be something out there that would benefit everyone equally no matter the size of the company?

When we think of progress and the evolution in steps that progress requires, we can then focus more closely on the realistic means by which to achieve an end. It’s understood that for the advancement of things to occur, other things would have to occur previously. Next-generation stateful firewalls of the 21st Century did not precede the stateless, packet filtering firewalls from the 20th Century. We had to discover what worked, what didn’t work and improve on our current product to create a newer, more robust product that met updated technological changes.

Of the myriad of options available for investment in a company’s cybersecurity future, the leading candidates are, in my opinion, the talent pool and zero-trust.

I hesitate to pick one over the other because I feel very strongly about what skilled people can bring to a company but, for me, zero-trust is the winner. The reason is that zero-trust is a way of thinking and behaving. It is not a product line. It is not beholden to the shiny object syndrome or the latest, fastest widget available. It is also available this minute and to all of us. The size of your environment or the amount of your cash flow does not matter. This is something that everyone at every level can incorporate into their business model. Even without the well-trained, dedicated talent to implement that zero-trust mindset effectively and efficiently, zero-trust can still be trusted. As for the talent pool they, along with the rest of the world, fall under the “Do not trust” umbrella. That is simply because humans, with no malicious intent or with, are infallible. There are those who have ill will and do unbelievably terrible things while the rest of us do our absolute best to do good things. As humans, we also make mistakes which, in cyber security, could lead to profoundly profound consequences.

The following are also all good choices for where a company could focus their attention: Artificial intelligence, third-party access risk and cloud services attacks, ransomware attacks, bank fraud, cyber insurance, and building security into technology design.

I understand there are those who believe that AI would be an obvious, first choice. Seems like an excellent selection but I’ll explain why I’ll stay with my zero-trust approach.

The reasoning for this goes to the progress it takes to move forward from any point. If form follows function, then AI design must follow the existing state of things. As much as our imaginations can dream up fantastical ideas of the future, what we have now in our possession can do only so much. AI then is beholden to the available materials and numerical knowledge we possess. Our current understanding of how to use those materials, in turn, limits what we can do. The current memory storage space we have available in our hands today would have been unbelievable 50 years ago. But we didn’t get to terabyte level drives for home use without first designing and successfully using the floppy disk.

The speed at which we develop our future artificial intelligence capabilities is gradual simply because things take time. They just do. We simply cannot move and develop AI fast enough to defend against our adversaries to take a commanding lead over their offensive capabilities.

Regarding the talent pool, the world is at a serious shortage of qualified, talented individuals to fill the necessary roles needed in the cybersecurity community. Various sources believe those unfilled roles number nearly two million in the United States alone for 2022 reaching 3.5 million by 2025. Outreach to high schools is more active than ever as companies aim to train young people for a satisfying career in cybersecurity. Had our attention on training the eager high school student been this aggressive 20 years ago, who can say where we would be today? Training new talent and providing ongoing training to existing talent can be expensive. In our online world, financially palatable options exist through virtual classes and programs. Training and educating the numbers of individuals needed to fill those open positions takes time. As with AI, time is not on our side when getting new talent up to speed.

Whichever direction companies take in 2022 to improve their security offensive and defensive capabilities, it’s a great sign there are an increasing number of trends written about in blogs and industry newsletters. Another reliable source of information is the podcast. Podcasts are also showing an increasing trend in not only availability but also listenership. These are excellent sources for gaining an understanding of the issues that face the cyber security profession today. Hearing CISO’s and others in the leadership chain discuss their approach to managing the things that keep them up at night is an excellent source of building your own understanding of all things cyber. Highly qualified and very experienced cyber security professionals lead most podcasts.

Now that is someplace where I can put my trust!