ThoughtLab, the global research company, has announced the findings of its 2022 cybersecurity benchmarking study, Cybersecurity Solutions for a Riskier World.
The study examined cybersecurity strategies and results of 1,200 large organizations in 14 different sectors and 16 countries, representing $ 125.2 billion of annual cybersecurity spending.
Research has revealed that the pandemic has brought cybersecurity to a critical point of inflection. The number of material violations suffered by respondents increased by 20.5% from 2020 to 2021, and cybersecurity budgets as a percentage of companies ’total revenue increased by 51%, from 0.53% to 0.80%.
During that time, cybersecurity became a strategic business necessity, requiring CEOs and their management teams to work together to meet the higher expectations of regulators, shareholders and boards.
In addition, the role of chief information security officer (CISO) has expanded, with many assuming responsibility for data security (49%), customer and insider fraud (44%), supply chain management (34 %), business risk and geopolitical management (30%), and digital innovation and business strategy (29%).
But 29% of CEOs and CISOs and 40% of chief security officers admit that their organizations are not ready for the rapidly changing threat landscape.
Cited reasons include the complexity of supply chains (44%), the rapid pace of digital innovation (41%), inadequate cybersecurity budgets and lack of executive support (both 28%), convergence of digital and physical assets (25%), and talent shortage (24%).
The highest percentage of unprepared organizations are in critical infrastructure industries: healthcare (35%), public sector (34%), telecoms (31%), and aerospace and defense (31%).
Over the next two years, security executives expect an increase in attacks from social engineering and ransomware as nation-states and cybercriminals become more prolific, according to the report.
Executives expect that these attacks will target weak areas primarily caused by incorrect software configurations (49%), human error (40%), poor maintenance (40%) and unknown assets (30%).
As part of ThoughtLab’s evidence -based research, its economists assessed the cybersecurity performance of corporate and government organizations against 26 metrics, including times to identify, respond to and reduce a cybersecurity breach, as well. the number of material violations experienced.
The benchmarking study revealed 10 best practices that can reduce the likelihood of a material breach and the time it takes to find and respond to those that occur. These are the following.
1. Take cybersecurity maturity to the highest level. The organizations most advanced in applying the NIST cybersecurity framework are ahead of others in key metrics, such as time to detect a violation (119 days for advanced versus 132 days for others). They also had fewer annual material violations (0.76 for advanced compared to 0.81 for others).
2. Make sure cybersecurity budgets are adequate. ThoughtLab’s analysis found a clear correlation between investment and results. Respondents who reported multiple material violations in 2021 spent 12.3% of their total IT spending on cybersecurity, while those who reported no material violations in 2021 spent an average of 12.8%, or $ 4.7 million more. Organizations that spend more also reported faster times to identify and reduce a violation.
3. Develop a rigorous risk -based strategy. On average, risk -based leaders – i.e., those most advanced in quantitative analysis of risk probabilities and impacts – saw 22.5 incidents and 0.75 material violations in 2021, compared to 27.1 incidents and 0.88 material violations for risk -based beginners. In addition, 50% of top performers took the time to mitigate to take a risk -based approach compared to 17% of poor performers.
4. Make people centered on cybersecurity. Cybersecurity is about people just as much about technology. Organizations are seeing fewer violations and faster time to respond when they build a “human layer” of security, create a culture sensitive to cybersecurity risks, develop more effective training programs, and develop clear processes for recruiting and retaining cyber staff.
5. Secure the supply chain. For 44% of respondents, the growing use of suppliers exposes them to key cybersecurity risks. Top performers in time to identify, respond, and lightweight are more mature in supply chain security. For example, more than half of organizations with good times to determine are advanced in supply chain security compared to 25% of those with poor times to determine.
6. Draw on the latest technologies but avoid product proliferation. Violation -free organizations are investing in a mix of solutions, from basics like email security and identity management, to more specialized tools like information security and event management systems ( SIEM). These organizations are more likely to use a multi-layered, multi-vendor security approach to monitor and manage risks more efficiently through a strong infrastructure.
7. Prioritize the protection of links between information and operating technologies. With the integration of the digital and physical worlds, the attack on respondents expands. Organizations that prioritize the protection of interconnected IT and OT assets are experiencing fewer material breaches and faster times to identify and respond.
8. Use smart automation. Automation, combined with AI and orchestration, helps CISOs deliver results while freeing staff from mundane tasks. For example, approximately three out of 10 organizations with good residence hours (the time to identify and adjust) use smart automation compared with 17% of organizations with poor residence hours.
9. Improve security controls for extended attack surfaces. Surface attacks widened during the pandemic due to greater digital transformation, cloud migration, remote working, and supply chain complexity. Our research shows that more companies need to put in place security controls to cover their expanding technology environment.
10. Do more to measure performance. Currently, organizations only monitor 4.2 cybersecurity metrics on average. Executive teams that are more diligent – monitoring six or more metrics – experience fewer incidents and material violations. They also respond more quickly to attacks.
The research program draws on the expertise of a team of cybersecurity leaders and experts from across the private sector, government and academia.
The group includes global consulting sponsor Booz Allen Hamilton; leading sponsors Elastic, KnowBe4, Skybox Security, Securonix, Claroty, Axis Communications, Vonood, and Zenkey; supports sponsors ServiceNow, CyberCube, and Resolute Strategic Services; and research partners Internet Security Alliance and ISF.
The advisory board is comprised of CISOs and other cybersecurity experts from a cross-section of industries.
ThoughtLab CEO and program research director Lou Celi said, “The move to digital during the pandemic – and now intensifying geopolitical tensions – usheres in a new era of cybersecurity risk that will require stronger leadership and broader collaboration of C-Suite executives and their staff.
“While there is no silver bullet, our evidence -based research shows that organizations need to bring their cybersecurity programs to a higher level of efficiency by ensuring they are proactive, risk -based, centered. in person, digitally advanced, and well -resourced. “
Booz Allen Hamilton vice president Paul Sussman said, “This landmark study fills the growing need for industry-specific cybersecurity metrics that companies can use to measure their performance against their peers. Research shows that companies have made significant progress against cybersecurity frameworks like NIST, but they need to do more to keep their organizations safe. “
.