Research firm ThoughtLab recently announced the results of its 2022 cybersecurity benchmarking study called “Cybersecurity Solutions for a Riskier World.” Dubbed the world’s largest cybersecurity benchmarking, the study went in-depth into the cybersecurity strategies of 1,200 major organizations in over a dozen sectors across 16 countries. Representing the state of how over $125.2 billion in annual cybersecurity spending is utilized, the study reveals the low confidence of top executives in their organizations’ ability to confront new threats.
The study found that 40 percent of Chief Information Security Officers (CISOs) believe that their respective organizations are not ready to deal with the fast pace of changes in the cyber threat landscape. This may be unsurprising given that this finding is not that different from what other similar smaller studies have discovered over the past couple of years. Still, it is an issue worth examining countless times to drive the point that the current state of cybersecurity affairs does not have to stay as-is.
Can organizations be ready?
Before discussing the reasons why organizations have a hard time preparing for the modern cyber threats confronting them, here’s an important point to make: it is not impossible to be ready for the threats. As mentioned, only around 40 percent express a lack of confidence in their cyber threat preparedness. Even assuming that a significant number of those surveyed were just being overconfident, it would be a stretch to say that the overwhelming majority of organizations are completely defenseless against cyberattacks.
If cybercriminals are relentless, security firms are similarly determined to combat the threats. They continue to develop new technologies or solutions to address the increasing aggressiveness and sophistication of attacks. Extended security posture management (XSPM), for one, was developed to keep up with the ever-evolving nature of cyberattacks. It expands conventional cybersecurity by adding automation, analytics, insights, and access to systematic threat modeling and the most up-to-date threat intelligence.
While there are surveys that show that around three-quarters of organizations suffered at least one cyberattack over the past year, this does not mean that this overwhelming majority have been unprepared to deal with the problem. Most have survived or properly mitigated the problem after they were attacked. It would be irrational to expect absolute protection. There will be possibilities of failures, but organizations can indeed be ready to address highly aggressive and complex attacks.
Why many remain unprepared
From the number of respondents who admitted that their organizations were not ready for rapidly changing threats, the following numbers are worth noting:
- 44 percent said that the reason is the complexity of supply chains.
- 41 percent pointed to the fast pace of digital innovation as the reason.
- 28 percent said the reason is the inadequate cybersecurity budget.
- 28 percent said that the absence of executive support is to blame
- 24 percent attributed the problem to the shortage of cybersecurity talent
- 25 percent blamed the convergence of digital and physical assets
There is nothing shocking or new in these reasons. The growing complexity of (software) supply chains claims at least one high-profile victim: SolarWinds. The perpetrators of the SolarWinds attack reportedly knew the details of how the SolarWinds software build process worked. This knowledge allowed them to come up with an inconspicuous way to insert malicious code during the software compilation stage.
If an organization as big as SolarWinds failed to notice the attack on its software supply chain, it would not be surprising to see smaller and less financially capable organizations faring worse. They do not have enough cybersecurity budget to acquire the most effective security solutions and hire security experts who could come up with protocols, policies, and measures that would keep cyber threats and risks in check.
Adjusting to more complex environments because of rapid technological innovation and the intermingling of digital and physical assets is going to be a daunting challenge for many organizations. Their limited budgets and cybersecurity expertise makes it difficult to be proactive and forward-looking, especially when they have many other crucial concerns to attend to.
Recommendations on improving cyber threat readiness
The ThoughtLabs security benchmarking study provided a list of best practices to help organizations in improving their preparedness for emerging threats. Interestingly, most of the recommendations support the idea of moving towards extended security posture management.
For instance, the study advises organizations to adopt a rigorous risk-based approach that involves advanced quantitative analysis of risk impacts. XSPM features a threat alert prioritization scheme that assigns scores for the different risks to make it easy for cybersecurity teams to see the most urgent concerns. These scores and threat prioritization ensure that the large volume and frequency of security alerts do not drown important notifications into obscurity.
The study also tells organizations to take advantage of the latest technologies while not falling into the product proliferation trap (the inefficient use of too many security products). It is not uncommon for organizations to employ a mix of solutions for different security needs. This can be an issue, though, as it becomes difficult to keep track of numerous security controls, particularly the security data they generate. With extended security posture management, all these different solutions can be brought together under a single dashboard or interface that makes monitoring and response easier and more efficient.
Another noteworthy recommendation is on harnessing intelligent automation. The study indicates that automation has helped CISO’s achieve better cybersecurity results. Around 30 percent of organizations that saw outstanding dwell times made use of smart automation. Automation is a key feature of extended security posture management since it employs breach and attack simulation (BAS) as well as advanced purple teaming.
Additionally, the ThoughtLabs study suggests making improvements in the security controls for expanded attack surfaces in view of the widening of attack surfaces due to remote working arrangements, cloud migration, and greater supply chain complexity, and overall digital transformation. This guidance aligns with XSPM’s emphasis on better attack surface management.
Moreover, the study highlights the need for organizations to take cybersecurity maturity to the highest level. This entails the adoption of advanced cybersecurity frameworks such as the NIST framework. Extended security posture management also relies on a well-known security framework called MITRE ATT&CK, which shares the latest threat modeling and threat intelligence to organizations worldwide to facilitate a more organized and effective approach in detecting, preventing, and mitigating the latest adversarial tactics and techniques.
In summary
It is possible to improve cyber threat preparedness and fare better when cyber-attacks happen. It is not going to be a walk in the park, but the information, resources, tools, and platforms to achieve better readiness in dealing with the new era of cyberattacks are already available. Organizations just need to learn how to prioritize their resources and exert the time and effort to learn more about the new solutions designed to better respond to more aggressive and sophisticated attacks.
