← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 92/100

Cybersecurity Retrospective Briefing — March 15, 2022

A 2020–2022 cybersecurity retrospective charts pandemic-driven attack expansion, zero-trust policy waves, and ransomware economics—guiding security leaders on operational, governance, and sourcing priorities for the next planning cycle.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
6 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The period from early 2020 through Q1 2022 reset cybersecurity baselines. Remote work, accelerated cloud adoption, and geopolitical unrest expanded attack surfaces, while landmark incidents such as SolarWinds, Colonial Pipeline, Log4Shell, and Microsoft Exchange ProxyLogon forced governments and enterprises to overhaul practices. Reviewing the past two years highlights lessons for operational resilience, governance, sourcing, and investment priorities as organizations plan 2022–2024 roadmaps.

Timeline of major shifts

2020: The pandemic drove mass remote work, prompting rapid deployment of VPNs, collaboration tools, and cloud services. Threat actors exploited misconfigurations and phishing targeting pandemic themes. Notable events included the SolarWinds Orion supply-chain compromise, compromises of COVID-19 research institutions, and increased ransomware targeting healthcare. Policy responses included the U.S. CISA releasing telework guidance and the UK NCSC promoting remote working security.

2021: Supply-chain attacks and ransomware escalated. The Microsoft Exchange ProxyLogon campaign, Colonial Pipeline ransomware incident, Kaseya VSA compromise, and widespread exploitation of Log4Shell underscored the fragility of software supply chains. The U.S. issued Executive Order 14028 on improving cybersecurity, CISA established the Joint Cyber Defense Collaborative, and multiple governments launched ransomware task forces. Insurance carriers tightened underwriting, requiring MFA and segmentation.

Early 2022: Russia’s invasion of Ukraine triggered global Shields Up advisories. Governments advanced zero-trust mandates (OMB M-22-09 in the U.S., UK’s Cyber Assessment Framework updates), while EU institutions progressed the NIS2 Directive and Digital Operational Resilience Act. Organizations re-evaluated supplier risk, incident reporting, and resilience strategies.

Operational lessons learned

  • Visibility gaps: Incidents revealed limited visibility across hybrid environments. Investments in extended detection and response (XDR), cloud-native telemetry, and asset management became critical.
  • Patch velocity: Log4Shell demonstrated the need for rapid patching and virtual patching. Enterprises adopted risk-based vulnerability management, attack surface management, and continuous scanning.
  • Incident response maturity: Tabletop exercises expanded to include cross-functional stakeholders, communications, legal, and regulators. Playbooks integrated ransomware payment decision frameworks and negotiated response protocols.
  • Business continuity: Colonial Pipeline and other incidents highlighted the need to link IT/OT recovery plans. Organizations invested in network segmentation, manual operations, and redundant systems.
  • Third-party monitoring: The SolarWinds compromise prompted third-party risk programmes to require SBOMs, enhanced logging, and supply-chain attestations.

Governance and policy developments

  • Zero-trust mandates: U.S. federal agencies must achieve specific zero-trust targets by 2024, while allied governments issued similar guidance. Boards now expect zero-trust roadmaps from management.
  • Regulatory reporting: Governments introduced or proposed faster incident reporting—U.S. critical infrastructure reporting within 72 hours (pending legislation), Australia’s Security of Critical Infrastructure Act amendments, and EU NIS2’s 24-hour initial notification.
  • Board accountability: The SEC proposed enhanced cybersecurity governance disclosures; UK regulators emphasised board engagement through FCA/PRA Dear CEO letters. Directors sought specialized education.
  • Insurance market hardening: Premiums rose and coverage declined unless organisations implemented MFA, EDR, and incident response plans. Boards reevaluated cyber risk transfer strategies.
  • International cooperation: Cross-border alliances like the Counter Ransomware Initiative and EU-US Trade and Technology Council fostered joint actions against cybercrime.

Technology priorities for 2022–2024

  • Zero-trust architecture: Implement identity-centric access controls, microsegmentation, continuous authentication, and secure access service edge (SASE) platforms.
  • Security observability: Expand logging across cloud, SaaS, OT, and identity providers. Adopt scalable data lakes and analytics to support threat hunting.
  • Software supply-chain security: Integrate software bill of materials (SBOMs), code-signing protections, dependency scanning, and secure build pipelines aligned with NIST SP 800-218 (Secure Software Development Framework).
  • Automation and orchestration: Use SOAR and security automation to reduce response times, enforce policy, and orchestrate cross-team actions.
  • Resilience engineering: Invest in chaos engineering, backup verification, and site reliability engineering practices to ensure systems can withstand and recover from attacks.

Sourcing and ecosystem considerations

  • Managed services adoption: Organizations increasingly rely on managed detection and response (MDR) and incident response retainers to cover skill shortages. Contracts must define SLAs for threat detection, reporting, and coordination with internal teams.
  • Vendor consolidation versus specialization: Security leaders weigh platform consolidation to reduce complexity against the need for specialized tools targeting OT, cloud, or identity threats. Procurement strategies should evaluate integration costs and resilience benefits.
  • Supplier risk transparency: Expect more requests for SBOMs, vulnerability disclosures, and coordinated vulnerability disclosure programmes. Vendors must invest in secure development to remain competitive.
  • Talent pipelines: Workforce shortages drive partnerships with universities, apprenticeships, and internal reskilling. Outsourcing must include knowledge transfer clauses to avoid dependency.
  • Insurance partnerships: Engage brokers and carriers early to align security controls with underwriting expectations, capturing incentives for improved posture.

Metrics and reporting

Boards demand actionable metrics beyond counts of blocked attacks. Organizations are adopting KPIs such as mean time to detect/respond, percentage of privileged accounts with MFA, patch compliance rates for critical vulnerabilities, percentage of critical suppliers assessed, and progress toward zero-trust milestones. Qualitative reporting includes scenario analyses, tabletop exercise outcomes, and alignment with regulatory frameworks.

Strategic recommendations

  1. Integrate cyber and business continuity planning: Align recovery priorities with operational and financial impacts. Test simultaneous cyber and physical incident scenarios.
  2. Embed security into digital transformation: Require DevSecOps practices, secure-by-design architectures, and privacy engineering for new initiatives.
  3. Strengthen threat intelligence fusion: Combine internal telemetry with government and industry intelligence feeds to anticipate threats and inform investment decisions.
  4. Elevate board engagement: Provide quarterly deep dives, scenario exercises, and training to enhance oversight and funding decisions.
  5. Measure supplier resilience: Implement continuous monitoring of critical suppliers, validating incident response capabilities and regulatory compliance.

Outlook

The cybersecurity landscape will continue to evolve with geopolitical tensions, regulatory demands, and innovation. Organizations that internalize lessons from 2020–2022—prioritizing zero trust, supply-chain security, resilience, and governance—will better withstand the next wave of threats and regulatory scrutiny.

Regional nuances

Regional regulators emphasized different aspects of cybersecurity. The EU advanced the Digital Operational Resilience Act for financial services and proposed critical entities resilience rules, while Germany implemented the IT Security Act 2.0 expanding obligations for critical infrastructure operators. In Asia-Pacific, Singapore’s Cyber Security Agency updated codes of practice for critical information infrastructure, and Japan revised its cybersecurity strategy focusing on supply-chain risks. Latin American governments invested in national CSIRTs and public-private information sharing. Multinationals must tailor programmes to local supervisory expectations while maintaining global standards.

Investment outlook

Security budgets are shifting toward proactive capabilities such as identity governance, security automation, and resilience engineering. Organizations should allocate funding to modernize legacy systems, expand cyber insurance coverage where economically viable, and develop talent pipelines. Partnerships with managed service providers must include transparent performance metrics and knowledge transfer requirements to build internal capability. Continual measurement and storytelling around resilience outcomes will help secure sustained executive support.

Timeline plotting source publication cadence sized by credibility.
6 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cybersecurity
  • Incident Response
  • Regulation
Back to curated briefings