2022 Security Posture Report Foreword
The report shows that as organizations move to the cloud, the rise of ransomware and pervasive cybersecurity issues, businesses increasingly want to measure cyber risk in monetary terms, cybersecurity teams are working to measure and improve their security posture, and the impact of cyberattacks on the business.
The report was produced by Cyber security Insiders, an online community of 500,000 information security professionals designed to explore the latest trends, key challenges, gaps, solutions, and more in cybersecurity operations.
Key findings
62% of organizations are not confident in their security posture. The lack of visibility into asset inventories and the inability to prioritize vulnerabilities based on business risk are the reasons for this.
62% of organizations are unable to quantify their cyber risk in monetary terms.
83% of organizations do not have a unified view of the cloud and on-premises security posture. This leads to problems such as silos and inefficiencies in security posture management.
Cybersecurity leaders struggle to communicate their security posture clearly to boards of directors and senior management.
Holger Schulze
CEO and founder of Cybersecurity Insiders
Confidence in the security posture
Organizations have a clear lack of confidence in their security posture. 62% said they had some confidence in their safety posture at best.
How confident are you in your organization's overall security posture?
Cyber risk impact
62% of organizations are unable to quantify their cyber risk in monetary units, making it difficult for cybersecurity leaders to get boards of attention and demonstrate investment in cybersecurity personnel and controls. So, for most organizations, giving a board presentation is just "yes."
Can you quantify your cyber risk in monetary units (USD, EUR, GBP, etc.)?
Which of the following best fits your most recent board or senior management presentation on cybersecurity?
Blind spots in the asset list
To accurately measure their security posture, organizations need to look at their asset inventory and understand what assets they own, which is the foundation for protecting assets. When asked how to assess their asset inventory awareness, 58 percent of organizations know less than 75 percent of assets on their network.
83% of organizations confirm that they have at least 50% asset coverage. That is, the organization has a rough idea of how many assets it owns. Business and the classification of each asset is also critical, which is a major issue, as there is no accurate and up-to-date inventory and the organization will work to improve the security posture.
Which of the following best describes an organization's treatment of asset inventory?
Insufficient visibility is a problem
The report shows that only half of organizations have sufficient visibility into cyber risk. While 65% of organizations report that they have ongoing visibility, a lack of prioritization and resources that need to be patched in a timely manner hampers the effectiveness of vulnerability procedures.
Does your business have overall security visibility?
Risk areas
The research team asked organizations which areas of risk they had ongoing visibility. 68% of organizations listed unpatched systems, followed by identity and access management (59%), and phishing, networking and ransomware (52%). Worryingly, organizations report lower visibility into risk areas such as asset inventory (49 percent), cryptographic issues (48 percent), and malicious insiders (23 percent).
Which of the following risk areas can you keep learning about?
The biggest security threat
When asked about the biggest security threats to organizations, 86 percent of organizations are most concerned about phishing and ransomware attacks. This is followed by vulnerabilities caused by unpatched systems (54%) and misconfiguration (45%).
Which of the following areas do you think pose the greatest risk to your organization?
Vulnerability priority
Vulnerabilities cannot be prioritized, which is very restrictive for the effective management of vulnerability management procedures. 40% of organizations find it difficult to tell which vulnerabilities are true threats and which will never be exploited. 37% of organizations focus on only a small fraction of the overall attack surface. 24% of organizations feel overwhelmed by too many alerts to take action.
What are you currently worried about about security visibility?
Cloud security priorities
In cloud computing, 60% of organizations manually prioritize alerts.
When it comes to cloud security postures, is there a way to prioritize remediation for alerts and cyber risks? How do you prioritize alerts?
Cloud security confidence
63% of organizations confirm that they lack a unified view of cloud and on-premises security postures.
Do you have a unified view of the security posture across cloud infrastructure and on-premises?
Security metrics
It is important that organizations prioritize the right metrics to measure the cybersecurity posture. Patch management metrics were collected for 66% of the most mentioned cybersecurity metrics, followed by vulnerability metrics (41%).
Which of the following are the most important cybersecurity posture management metrics?
31% of assets with poor or invisible network security visibility | The average time to remediate vulnerable systems is 31% | Vulnerability scan coverage is 28% | 24% of cyber risk assets in monetary units (e.g. USD, EUR, GBP, JPY, etc.) | The average inventory time (all assets on the network) is 17% | Assets with deep network security visibility 14%
Facing the challenge
Asset discovery and management
Although there are some security tools available, sifting through all the data and identifying critical vulnerabilities is an extremely challenging task. As a result, organizations are constantly worried about invisible cyber risks and vulnerabilities. Organizations need to unify all the data generated by their IT and cybersecurity tools – such as CMDB, firewalls, vulnerability tools, EDRs, SIEM, MDM systems, Active Directory, IoT/OT management systems, cloud infrastructure APIs, and more. When looking at their asset inventory and attack surface, the majority of respondents do not account for 25% or more of their inventory assets. This creates a huge blind spot and serious risk in the security posture. Businesses must have a continuous, real-time view of inventory that includes all devices, applications, and services. This means managing and unmanaged infrastructure, pre- and cloud, and both fixed and mobile. They should also have information about how to use the device.
Risk visibility
The Infosec team needed to see for themselves all the devices and applications on their network, as well as the hundreds of attack vectors they were vulnerable to. This visibility should be continuous, as regular scans quickly become obsolete. Finally, the team should understand the severity of the vulnerabilities and know whether they are real threats or just warnings of danger.
Cloud security posture management
63% of organizations view their cloud and on-premises assets through separate dashboards, and 20% only look at their existing assets. Organizations need to combine cloud and on-premises visibility into a single view, which eliminates the need for security practitioners to view multiple dashboards and increase productivity.
Quantify the risk of default
62% of organizations are unable to calculate their default risk in monetary terms. Therefore, it is a challenge to attract the attention of the board of directors and enable them to make the right decisions when it comes to safe investments. Calculating cyber risk in monetary terms provides a common language — from security engineers and IT administrators to CIOs, CFOs, and CIOs — that organizations can use to prioritize projects and spending and track the effectiveness of their entire cybersecurity program.
Leadership communication
52% of cybersecurity leaders are content with "okay." How to demonstrate effectively and quantifiable and intuitive risk indicators are very important. It should focus on business goals and help stakeholders understand the non-negligible nature of a company in terms of cyber risk, where it should be, and how it can achieve those goals.
This report is based on the results of a comprehensive online survey of 297 IT and cybersecurity professionals in the U.S. conducted in October 2021 to explore the latest trends, key challenges, gaps, and solution preferences in cybersecurity operations. Respondents, ranging from technical leaders to IT security practitioners, represent organizations of varying sizes across multiple industries.
Note: This article is reported by E Security Compilation.