A poll of 650 CISOs revealed 20 issues deemed critical for 2022.

What’s top-of-mind for CISOs today as they face unprecedented nation-state attacks on critical infrastructure in the wake of the Russia-Ukraine war, and continued disruption from an unending variety of malware and ransomware?

SC Media’s sister organizations, the Cybersecurity Collaborative and Cybersecurity Collaboration Forum, decided to find out — polling more than 650 CISOs to develop a list of 20 issues (unranked) that CISOs say earned their attention this year.

Security pros will find the list broad and varied, from concerns about malware, ransomware and cloud security to a focus on workforce development and creating and expanding security awareness programs. The CISOs are also grappling with emerging identity and access management technologies, app security and important new security principles, such as zero trust.

Here’s a snapshot of the topics CISOs are focused on in 2022:

Threat landscape/current security events: The Russia-Ukraine war and its impact on potential cybersecurity attacks on critical infrastructure, financial and healthcare communities in the U.S. has been top-of-mind since Russia invaded Ukraine in February. SC Media has reported on the cybersecurity authorities of the Five Eyes intelligence alliance — the United States, Australia, Canada, New Zealand and the United Kingdom — warning of potential malicious cyber activity resulting from Russia's invasion of Ukraine. There’s also been a report on how the Russia-linked actor Gamaredon has exponentially increased espionage in Ukraine during the war effort, targeting victims across multiple verticals.

Malware/ransomware readiness: Ransomware costs companies major financial and reputational damage. Just in the past month, SC Media has reported on the return of REvil, best known for its role in the JBS and Kaseya ransomware cases. The FBI has also been tracking ALPHV — aka BlackCat — which has been tied to attacks on major German oil companies and Florida International University. The FBI also warned the food and agriculture sector recently that ransomware actors were more likely to attack during the critical planting and harvesting seasons.

Cloud security: Security pros are still grappling with the shift to the cloud and CISOs need to pay attention to the security challenges. SC Media reported Thursday on research from Valtix, which found 95% of IT leaders say Log4Shell was a “wake-up call” for cloud security, changing it permanently. Some 87% now feel less confident about their cloud security now than they did prior to the incident. And researchers on Wednesday reported that in the second half of 2021, the number public-facing databases increased by 16% to 165,600, with most of them stored on web servers in the United States. Companies like RedHat are responding by offering tools that can help security accelerate development across multi-cloud platforms.

Workforce recruitment and development: Nearly everyone in the industry says they can’t find quality people to fill the jobs they need done in security departments and security operations centers. CyberSeek’s list of unfilled cybersecurity positions has hovered around 600,000 for months — and shows no real sign of declining. Despite the challenges, the industry keeps trying. Fortinet recently started a security awareness program and Offensive Security created its Global Partner Program to expand cyber education and attract good people into the industry. And just this month, Craig Newmark Philanthropies pledged more than $50 million to create a Cyber Civil Defense that would spread security awareness throughout the public and seek to create more opportunities in cyber for the country’s growing diverse population.

Zero trust: CISOs are also trying to understand how to integrate zero-trust principles across their enterprise and hybrid cloud networks. The federal government has been doing its part, and by dint of its vast size can help move the industry forward. But there are still serious challenges as SC Media reported last month: just 35% of security pros say they are “very familiar” with zero trust.