As I do each year, I recently got together with a number of my very talented colleagues here at Quest to think about key trends for the coming year. We all agree that the overriding theme of 2022 will be how organizations compensate for the IT talent shortage.
During the past year, we’ve felt workforce shortage issues become increasingly acute: Restaurants have longer wait times, supermarkets have fewer cashiers, and I for one am fervently hoping I don’t need someone to repair my furnace or washing machine anytime soon. There have been less direct impacts as well: Attacks like Hafnium are walloping organizations who no longer have experienced IT pros on staff who know the ins and outs of Active Directory or Exchange Server. Indeed, the staffing shortage is already hitting every aspect of IT, from security to operations to migration projects to Microsoft 365 license negotiations.
But as bad as 2021 has been in this regard, we predict that 2022 will say, essentially, “Hold my beer.” Three factors are aligning to create a perfect storm in the coming year:
- The IT talent shortage — For years, the demand for skilled IT pros has exceeded the supply, and the problem will only accelerate in 2022.
- The Great Resignation — Employees everywhere are re-examining their career aspirations, work-life balance and other priorities. In IT, that will mean losing admins qualified to manage legacy platforms like Active Directory, and even IT pros focused on managing Microsoft 365.
- The Great Resistance — Employees are now in a position of power and are pushing back on organizations who want to hire or retain them. It’s clear why organizations need them, but in 2022, workers will increasingly ask: What’s in it for me (WIIFM)? Employees want more flexibility and autonomy to find work and a lifestyle that best suits them, plus more competitive pay and benefits, and they are more than willing to change jobs or careers to get what they want.
Together, these three factors will drive organizations to the cloud and to automated third-party solutions in order to ease the burden of IT management.
My colleagues and I have come up with nine specific predictions about how this broader trend will play out. Let’s dive in.
1. Ransomware attacks will intensify and spread, driving organizations to bolster their protection and disaster recovery strategies.
Our first prediction is based on discussions with our Senior Director of Product Management, Paul Robichaux. An 18-time Microsoft MVP and the former CTO of Quadrotech, Paul has a great deal of insight to share, starting with some predictions about ransomware.
Anyone who’s paying even a little attention to the news knows that ransomware attacks are becoming more frequent and are no longer limited to large enterprises: SMBs, utilities, healthcare providers, broadcasters, local governments and school districts have all been walloped. Folks who have followed the attacks more closely will also note that hackers are now employing new tactics to strong-arm their victims into paying the ransom, such as not just encrypting data but threatening to post it publicly if they don’t get their Bitcoins. Microsoft has even highlighted a worrisome new trend of human-operated ransomware, where insiders are bribed or coerced into seeding ransomware in corporate networks to evade protection mechanisms.
But there’s more to this ugly new reality than new targets and tactics from the attacking side. Increasingly, governments are stepping into the arena concerning ransomware response. Back in October of 2020, the U.S. Department of the Treasury issued an advisory warning that not just making but also facilitating ransomware payments could result in penalties — and in September 2021, it made good on that threat, announcing sanctions against a cryptocurrency exchange for its role in ransomware payouts. Not surprisingly, insurance companies are starting to refuse to write cyber-insurance policies that reimburse customers for ransom payments, and there is every reason to expect that coverage is going to be harder and harder for organizations to get at any price.
These multiple factors, combined with the IT talent shortage, will drive organizations to implement better ransomware prevention and detection measures, as well as to finally pay serious attention to ensuring they have a comprehensive and well-tested disaster recovery (DR) strategy.
2. Supply chain attacks will escalate.
Paul also offered his perspective on another important issue for 2022: supply chain attacks.
State-level actors have been attacking the physical product supply chain for a while, but the digital supply chain — all the software and services an organization uses that come from external vendors — is increasingly at risk. Supply chain attacks are not new; for example, the devastating NotPetya attack of 2017 was a digital supply chain attack; attackers hacked the software update mechanism for a popular accounting tool so their malware would be deployed when the application was updated.
The NotPetya attack was devastating for organizations around the world, but it will likely pale in comparison to the SolarWinds supply chain attack in 2020, which ZDNet dubbed “the Pearl Harbor of American IT,” and the subsequent attack on Kaseya. In the SolarWinds attack. attackers managed to add malicious code to SolarWinds Orion, a system that some 33,000 organizations use to manage their IT resources — including Fortune 500 companies like Microsoft, Intel and Cisco, as well as federal agencies like the Treasury, the departments of Justice and Energy, and even the Pentagon. Like NotPetya, the malicious code was deployed through what seemed like a routine software update from the vendor. But unlike NotPetya, which was designed to wreak immediate devastation, the SolarWinds attack was so stealthy that it went undetected for months, enabling hackers to roam around the compromised computer networks for nine months, giving them amply opportunity to steal sensitive data, install additional code, create covert back doors and — importantly — cover their tracks. The Kaseya attack was more blatant — a ransomware group exploited Kaseya’s software-update deployment tool to automatically deploy ransomware to Kaseya customers, perverting the utility of the patch management system to “anti-patch” affected systems.
We should expect to see more, and more sophisticated, digital supply chain attacks in 2022 — especially since the ongoing IT talent shortage will be driving organizations to rely even more heavily on third-party software platforms, services and tools, as detailed in the next prediction.
3. Organizations will lean on cloud platforms, service providers and software vendors like never before.
The conversation about 2022 predictions also included Bryan Patton, who serves as principal strategic systems consultant at Quest. A Certified Information Systems Security Professional (CISSP), Bryan specializes in identity and access management, data governance, migration, and security, so I was eager for his thoughts about what to expect in 2022. Here’s what he had to say.
On March 5, 2021, Krebs on Security reported that Microsoft Exchange servers at hundreds of thousands of organizations around the world had been hacked in a campaign attributed to Hafnium, a state-sponsored cyber-espionage group. While Exchange Server might seem like minor system today, email still holds a wide variety of sensitive data, including business-critical data like IP and deal negotiations, as well as regulated information such as customer PII. Beyond directly compromising critical data, however, in many cases, the hackers were able to install web shells with administrative rights that could be used for later credential harvesting and lateral movement to other systems.
Here’s the thing: Although Microsoft provided patches for the underlying vulnerabilities and stressed the urgency of deploying them, three weeks later, only about half of the Exchange servers visible on the internet had applied the patches! Why? One key reason is the IT talent shortage: Many organizations simply don’t have an IT pro on staff with the requisite knowledge of Exchange Server. In fact, Microsoft realized there were so many customers who needed help that they released a one-click mitigation tool, which they explicitly note is not a replacement for the Exchange security update but at least provides a quick and easy way to mitigate the highest risks.
In 2022, we expect to see even more demand for skilled IT pros, especially in cybersecurity roles, but IT talent shortage, the Great Resignation and the Great Resistance will make such critical positions even harder to fill. As a result, organizations will turn to cloud platforms that require fewer IT pros to operate and manage, as well as to other types of IT service providers. They’ll also be investing in automation to streamline the work that remains for the in-house IT team.
4. Organizations will pay far more attention to licensing.
For a deeper dive into predictions around the IT talent shortage and Microsoft 365, I made sure to include senior engineer Curtis Johnstone at our roundtable. A 12-time Microsoft Office Apps & Services MVP, Curtis is also the creator and chief contributor to Inside Office 365, so I could hardly ask for a better resource! Here’s the first of his two insights about what to expect in 2022.
Organizations are in for sticker shock. After a decade of no prices increases for base Office 365 service plans, Microsoft plans to increase the monthly fee for most Office 365 and Microsoft 365 plans effective March 1, 2022. Here are the changes (all prices are per user per month):
- Office 365 E1 — To increase from $8 to $10
- Office 365 E3 — To increase from $20 to $23
- Office 365 E5 — To increase from $35 to $38
- Microsoft 365 Business Basic — To increase from $5 to $6
- Microsoft 365 Business Premium — To increase from $20 to $22
- Microsoft 365 E3 — To increase from $32 to $36
- Microsoft 365 E5 — Will remain $57
- Education and consumer products — No changes
While a $2 or $3 monthly increase might not seem like much, across thousands of users this can represent a yearly price increase of tens or hundreds of thousands of dollars! With dependence on cloud applications increasing (see prediction #2), the price jump can quickly blow a huge hole in your IT budget.
Moreover, the current discounts that organizations have with existing Enterprise Agreements (EAs) could be in jeopardy now that the move to cloud services has matured and organizations are dependent on these services to run their businesses. Plus, the Great Resignation and the Great Resistance have affected Microsoft as much as any other organization, so the sales rep you’ve worked so hard to build a relationship with might have moved on to greener pastures.
As a result, organizations will be paying close attention to licensing costs in the coming year. With increased use of cloud services combined with the increased volatility in the workforce and the IT talent shortage, they’ll be looking for tools to help them clearly understand their license usage and right-size their license expenditure so they can re-assign licenses effectively and eliminate unnecessary costs.
5. Managing and securing Microsoft Teams will be even more of a focus for IT pros.
Curtis also offered his thoughts about what to expect with Microsoft Teams in the coming year.
With the labor market tight, organizations are acceding to the demand for remote and hybrid work options. As a result, leading remote work collaboration solutions such as Microsoft Teams continue to evolve rapidly, delivering a continuous stream of new features and capabilities to make collaboration better for both in-office and remote staff.
IT teams have been under pressure to understand and configure these new capabilities and deploy them in their organizations such that they are secure and meet governance guardrails. New capabilities such as the soon-to-be-released Shared Channels in Microsoft Teams, which will allow user data to more seamlessly flow in and out of the organization, will put more pressure on IT departments to manage and govern Teams in a way that is secure and protects the organization’s assets, even as the IT talent shortage makes it harder to find qualified staff.
The continued use and growth of Teams will also lead to more sprawl. Regular cleanup will become the norm, including a continuous need to inventory and evaluate existing teams for their purpose and activity. The resulting decommissioning of legacy teams and their associated channels and data will require organizations to look for ways to automate inventory and review of all the components of Teams.
Given the tight integration of Microsoft Teams with Azure AD and the other Microsoft 365 workloads, better IT governance across the whole ecosystem will help with the proper management of Teams, their underlying groups and more. That includes ensuring correct team membership, following team lifecycle best practices, controlling external access (federation) and guest access, and establishing sound administrative policies for chat, meetings, live events and other collaboration features. For a deeper dive, check out this primer on how to secure Microsoft Teams.
6. The insider threat will be more pronounced than ever.
You might think I’ve exhausted the list of experts at Quest with valuable ideas to contribute to this list of predictions concerning the IT talent shortage, but you’d be wrong! The group also included Mike Weaver, a Microsoft MVP and technical product manager at Quest and an expert in solutions for mergers, acquisitions and divestitures in the Office 365 ecosystem. Here’s the first of his two predictions for the coming year.
Multiple factors are driving profound volatility in the workforce. The Great Resignation is seeing employees in all roles, in all professions, in all types of organizations around the world leaving their jobs in droves. This churn means a lot more users coming in and out of your network, and more chances for over-provisioning users and failing to promptly de-provision them when they leave.
Meanwhile, the Great Resistance is spurring workers to question organizations’ policies and conditions more closely, and factors like lack of child and elder care further contribute to a tight labor market, putting employees in the driver’s seat. A common demand is continued remote work, which means IT teams need to up their game at securing remote devices and cloud services like Microsoft 365.
Finally, a long and broad history of at-will employment, in which organizations could — and often did — terminate workers at any time and for any reason, has come home to roost. Candidates and employees alike are ghosting organizations at an unprecedented rate, highlighting the zeitgeist that employers have not shown loyalty to employees in the past and therefore are undeserving of loyalty from employees now. With more of these disaffected users in the IT environment, IT pros need to be even more vigilant about auditing the IT ecosystem for suspicious activity, keeping in mind that both malicious intent and carelessness can lead to system downtime and data breaches. The rise of human-operated ransomware is of particular concern. With the persistent IT talent shortage, high-quality automated solutions will be in high demand.
7. M&A will become a mixed bag of strategic divestitures and land-grabs.
Mike also provided some thoughts about how the M&A landscape will look in the coming year through the lens of the IT talent shortage.
In 2022, increased government scrutiny and desire to promote competition in the US economy will result in a slowdown in merger and acquisition (M&A) activity in regulated industries. Enforcement will focus on labor markets, agricultural markets, healthcare organizations like hospitals and insurance providers, and the tech sector.
With the massive business shift resulting from COVID-19 challenges and opportunities, we are likely to see an uptick in M&A activity. One study in the UK expects that only 14% of small businesses will return to pre-COVID-19 levels of trading by December 2021. The continued business challenges will see companies needing to combine forces to get through the crisis, or worst, enter into bankruptcy sale.
Those that can acquire will require more due diligence. In particular, organizations will need to carefully scrutinize security concerns, global shipping slowdowns and other supply chain issues, the global IT talent shortage and tight labor market, and the potential for mass resignations due to the uncertainty that comes with M&As.
8. Tenant-to-tenant (T2T) migrations will become more complex and time-consuming.
Rounding out my illustrious group thinking about the IT talent shortage was Rich Dean, senior manager of technical product management at Quest. An expert in Microsoft 365 and Azure, Rich has helped hundreds of organizations achieve their migration and consolidation goals, and he had some interesting insights concerning tenant-to-tenant migrations.
Email is slowing losing its dominance as the primary communication method within organizations. With the advent of workplace messaging services like Microsoft Teams, Google Workspace and Slack, the preferred methods of collaboration are now chat and real-time conversations. As a result, data is being stored less in Exchange Online and more in SharePoint Online.
Accordingly, IT pros will need to adjust the priorities and strategies for T2T migrations, such as IT integrations associated with M&As. In particular, they will need to scrutinize the data involved based on complexity, usage patterns and business criticality, and carefully consider how to ensure seamless coexistence during the migration project. As a result, we will see an increased focus on pre-migration analysis and planning, and M&A projects will take longer.
9. The release of Windows Server 2022 will spur organizations to re-examine their IT strategy.
I know, I know! You’re thinking, Jen, this is supposed to be a blog about predictions about 2022 — Windows Server is so twentieth century; how in the world can it still be relevant?
Well, the fact is, most organizations today are hybrid, with an on-prem Active Directory that plays a key role in authentication and authorization not just for on-prem applications but cloud services like Microsoft 365 as well. Therefore, the release of Windows Server 2022 will be an important factor in IT planning for the coming year. Here are Rich Dean’s predictions for how that will play out given the IT talent shortage.
Organizations will have to carefully consider their options. The new version of Windows Server promises multiple benefits, from more advanced security to new hybrid capabilities to scalability improvements. But upgrading necessarily entails both effort and risk, so some organizations will opt to upgrade while others will stick with their current version.
But, as you astutely recognized, the cloud is the future. Windows Server 2022 marks a larger inflection point that will spur organizations to assess their IT strategy more broadly: What should we keep on premises and what should be in the cloud? Do we even need an on-prem infrastructure anymore, especially since the IT talent shortage makes it so hard to find IT pros with the expertise to properly maintain and secure it? Some organizations will choose to go fully to the cloud, offloading more IT processes to Microsoft in order to focus on their core business, while others will keep an on-prem infrastructure.
Both choices will drive demand for third-party services and solutions. For example, moving to the cloud requires carefully analyzing your entire Group Policy and figuring out how to recreate similar controls in the cloud. And the explosion of devastating attacks like ransomware, along with changes like the retirement of the Enhanced Security Admin Environment (ESAE) architecture (AKA Red Forest), will force all organizations to consider adopting a modern Zero Trust security model.
Now you have the Quest team’s top predictions for 2022 around the theme of the IT talent shortage. I hope you’ll find them useful in enhancing security, productivity and efficiency for your organization in the coming year.