A full 40% of chief security officers, and 29% of chief executives and chief information security officers (CISO) do not believe that their organizations are sufficiently prepared to handle the rapidly changing cyber landscape, a new report from think tank ThoughtLab said in a new study.
The report, entitled Cybersecurity Solutions for a Riskier World, analyzed the cybersecurity strategies and results of 1,200 large organizations across 14 different sectors and 16 countries, representing $125.2 billion of annual cybersecurity spending.
Five Cybersecurity Weak Links
According to the study’s leaders, their organizations are unprepared for:
- The complexity of supply chains (44%).
- The pace of digital innovation (41%).
- Inadequate cybersecurity budgets and the lack of executive support (28%).
- Convergence of digital and physical assets (25%).
- Shortage of talent (24%).
Organizations in healthcare (35%), the public sector (34%), telecoms (31%), and aerospace and defense (31%) were the least prepared, the study said.
Over the next two years, security executives expect an increase in attacks from social engineering and ransomware as nation-states and cyber criminals become more prolific. Executives anticipate that these attacks will target weak spots primarily caused by software misconfigurations (49%), human error (40%), poor maintenance (40%), and unknown assets (30%).
“The move to digital during the pandemic and now escalating geopolitical tensions are ushering in a new era of cybersecurity risk that will require stronger leadership and wider teamwork among C-Suite executives and their staffs,” said Lou Celi, CEO of ThoughtLab. “While there is no silver bullet, our evidence-based research reveals that organizations need to take their cybersecurity programs to a higher level of excellence by ensuring they are proactive, risk-based, human-centric, digitally advanced, and properly resourced.”
10 Best Practices for Cybersecurity
The study revealed 10 best practices that can limit the damage of a security breach while increasing detection and remediation:
- Take cybersecurity maturity to the highest level. Organizations that are most advanced in applying the NIST cybersecurity framework outperform others on key metrics, such as time to detect a breach (119 days for advanced vs. 132 days for others). They also have fewer annual material breaches (0.76 for advanced vs. 0.81 for others).
- Ensure cybersecurity budgets are adequate. Respondents reporting multiple material breaches in 2021 spent 12.3% of their total IT spending on cybersecurity, while those reporting no material breaches in 2021 spent an average of 12.8%, or $4.7 million more. Organizations that spent more also reported faster times to detect and mitigate a breach.
- Build a rigorous risk-based approach. On average, risk-based leaders—i.e., those most advanced in quantitative analysis of risk probabilities and impacts—saw 22.5 incidents and 0.75 material breaches in 2021, vs. 27.1 incidents and 0.88 material breaches for risk-based beginners. In addition, 50% of top performers in time to mitigate took a risk-based approach vs. 17% of poor performers.
- Make cybersecurity people centric. Organizations see fewer breaches and faster times to respond when they build a “human layer” of security, create a culture sensitive to cybersecurity risks, build more effective training programs, and develop clear processes for recruiting and retaining cyber staff.
- Secure the supply chain. For 44% of respondents, the growing use of suppliers is exposing them to major cybersecurity risks. Top performers in time to detect, respond, and mitigate are far more mature in supply chain security. For example, over half of organizations with excellent times to detect are advanced in supply chain security vs. 25% of those with poor times to detect.
- Draw on latest technologies but avoid product proliferation. Organizations with no breaches invest in a mix of solutions, from the fundamentals such as email security and identity management, to more specialized tools such as security information and event management systems (SIEMs). These organizations are also more likely to take a multi-layered, multi-vendor security approach to monitor and manage risks better through a strong infrastructure.
- Prioritize protection of links between information and operating technologies. With digital and physical worlds converging, the attack surfaces for respondents are widening. Organizations that prioritize protection of interconnected IT and OT assets experience fewer material breaches and faster times to detect and respond.
- Harness intelligent automation. Automation, combined with AI and orchestration, helps CISOs deliver results while freeing up staff from mundane tasks. For example, about three out of 10 organizations with excellent dwell times (the time to detect and remediate) use smart automation vs. 17% of organizations with poor dwell times.
- Improve security controls for expanded attack surfaces. Attack surfaces widened during the pandemic because of greater digital transformation, cloud migration, remote working, and supply chain complexity. Our research shows that more companies need to put security controls in place to cover their expanding technology environments.
- Do more to measure performance. Currently organizations track just 4.2 cybersecurity metrics on average. Executive teams that are more assiduous—monitoring six or more metrics—experience fewer incidents and material breaches. They also respond faster to attacks.