Could cybersecurity debt be the biggest security threat in 2022?

Security has taken a back seat to digital acceleration, creating a growth in cybersecurity debt, and putting firms at risk. Among the unique threats of the past two years, the pandemic sped up digital innovation and accelerated the need for businesses to transform to stay relevant.

Many of these digital initiatives have been a necessary response to the health and trading environment. Businesses have had to pivot quickly to the cloud, prioritise enabling remote and hybrid working and accelerate the introduction of new digital services for customers.

Where is the shift in focus?

The boardroom’s focus has been on agility, resilience, profitability, and survival to maintain their competitive edge and growth trajectory. But it’s vital to be aware that every major IT initiative results in the growth in digital interactions between people, apps, and processes.

Each of these connections, whether human or machine, created by a digital identity. This acceleration of initiatives has led to an explosion in digital identities – easily running to the hundreds of thousands per organisation – and these figures will continue to grow.

The existence of more digital identities is not a cause for concern. However, in their hurry to roll out these projects, organisations haven’t always properly secured these identities.

Determining identity security with privilege in mind is the new battleground and needs to be managed centrally across all parts of the business to get visibility, as otherwise this creates a cost: the build-up of cybersecurity debt. CyberArk’s recently released 2022 CyberArk Identity Security Threat Landscape Report found many firms are heading deeper into cybersecurity debt by prioritising digital initiatives while putting off identity-focused security protections.

In fact, over the past year, 70% of organisations have experienced ransomware attacks, with an average of two per company, while 71% suffered a software supply chain attack that resulted in data loss or a compromise of assets. Yet, shockingly, 62% of organisations have done nothing to secure their software supply chain, with 64% admitting that if a supplier was compromised, they wouldn’t be able to stop an attack on their own organisation.

It’s time firms look at shifting their focus back on addressing these vulnerabilities and be proactive about improving their measures to work towards mitigating cybersecurity debt.

What is cybersecurity debt?

Cybersecurity debt is when security programmes and tools don’t keep pace with digital initiatives, exposing the business to increased security risks. It’s critical that the human and machine identities being created are managed and secured correctly. This is because most of them, according to our research, access sensitive data and assets to perform their roles.

And yet, less than half of organisations currently have identity security controls in place for their business-critical applications, or their cloud services, while the vast majority have secrets and credentials scattered throughout their DevOps environment. Unsecured, unmanaged credentials are exactly what attackers target. So, while security teams struggle to keep up with the speed of digital acceleration in the business, vulnerabilities grow.

The turbulence of the last few years meant many businesses had to react quickly – understandably so. However, now we’re in this ‘new / next normal’, it’s imperative that businesses take stock of, and respond to, growing levels of identity-related cybersecurity debt. Otherwise, they’re leaving a door wide open for cybercriminals to simply walk through.

What are the areas of heightened risk?

Poorly protected credentials are the number one perceived area of risk for firms, as they’re a primary means for attackers to gain entry to business systems. From there cybercriminals can steal data or hold it to ransom, disrupt business operations or go on to gain more powerful privileged credentials that give access to even more valuable business assets.

DevOps, CI/CD pipelines or other development environments represent another area where cybersecurity debt needs to be addressed. This is because 87% of firms store secrets like passwords and encryption keys in multiple places across DevOps environments. In fact, only 3% use a centralised secrets management platform to manage credentials used by apps.

In addition, 80% of security professionals agree that developers currently have more privileges than they need, which also opens businesses to further unnecessary risk.

So, what can be done?

There’s no silver bullet to counteract cybersecurity debt. However, there are simple steps that can be taken to improve the management of security, starting with core measures such as establishing zero trust principles. This is an approach that demands that any person or machine trying to connect to a firm’s system must first be verified before access is granted.

Our research shows the top three strategic initiatives that CISOs and CIOs cites to implement zero trust principles are: workload security; identity security tools; and data security.

Businesses have had to be very reactive over the last few years, but now is the time to take back control of their security and begin to pay down the cybersecurity debt they’ve accrued.

This means extending zero trust “never trust; always verify” protections to IT environment: from apps and workforces to hybrid cloud workloads and throughout the DevOps lifecycle. Digging out of cybersecurity debt takes time and for many firms, there’s work to be done.

Creating a risk-based plan can help them identify ways to make quick, high-return “payments” and then follow a feasible timeline for reducing the remaining cybersecurity debt. With a solid identity-centric risk plan in place, firms can effectively strengthen defences against emerging threats while advancing key initiatives to propel their business forward.


Thomas Fikentscher is the Regional Director ANZ at CyberArk.