Today, Critical Start released its second annual Cyber Risk Landscape Peer Report, which explores concerns and challenges around cyber risk mitigation for enterprises. Most notably, the report uncovered that 86% of cybersecurity professionals' top concern is unknown cyber risks versus known threats. This is an increase of 17% compared to last year, signifying a need to advance proactive cyber risk management practices in addition to threat-based detection and response within security programs.
The report finds that the increasingly complex and pervasive cyber threat landscape requires businesses to implement more robust and proactive cybersecurity measures, yet concern around lack of company alignment and visibility persist.
Critical Start's report also examines key themes, such as the increased complexity of cyberattacks, lack of cyber expertise continuing to be a growing issue, and proactive risk mitigation becoming a necessity rather than a nice-to-have.
Here are a few key statistics from the report:
- Cyberattacks are not slowing down: 83% of cybersecurity professionals reported experiencing a breach incident requiring attention, despite having traditional threat-based detect and respond security measures—a significant increase from previous years.
- Cyber expertise is a growing issue: In 2023, we reported that 37% of cybersecurity professionals cited a lack of expertise as a challenge faced in effective cyber risk management. This year, that number increased to 50%.
- Businesses seeking support to become more proactive: 99% of respondents say they plan to implement a managed cyber risk reduction (MCRR) solution to continuously monitor and mitigate cyber risks. 99% of these same organizations are planning to offload segments of cyber risk reduction projects to security providers, which is an increase of 8% compared to 2023.
- Proactive risk reduction, the new normal: The report found that 81% of organizations are planning to prioritize proactive risk reduction strategies to stay ahead of the evolving threat landscape. This includes continuous risk monitoring, threat intelligence integration, and timely incident response.
"Peer reports, such as those provided by Critical Start, offer periodic reference points to assess an organization's approach to specific topics compared to others," said Randy Watkins, Chief Technology Officer at Critical Start. "These reports not only highlight current trends and emerging threats, but also help organizations stay updated on the latest developments in cybersecurity. By leveraging data-driven insights, organizational leaders can evaluate potential areas for improvement and drive internal change through informed decision-making."
Watkins pointed to a few additional observations from the report:
- The lack of visibility into assets creates unprotected entry points for attackers. Only 29% of respondents report having full visibility into their asset inventory. This gap in asset protection also affects any third-party services used to enhance an organization's detection and response capabilities.
- Despite having traditional security measures in place, 83% of surveyed security professionals reported experiencing a cyber breach requiring attention. This not only underscores the advancement of cyberattacks, but may also indicate issues with product deployment or configuration.
Based on this information, Watkins added, more takeaways are:
- Organizations need to move beyond broadly deployed traditional security measures and adopt a more proactive approach based on frequent internal and third-party risk assessments.
- Develop a consistent and reliable asset visibility practice to ensure complete deployment of security controls, including detection and protection.
- Align investments with risk reduction, focusing on critical assets such as data and business processes.
Here's a snippet of the report, specifically Section 4, Challenges Driving the Evolution of MDR to Shift Left:
Lack of time and resources: A significant challenge highlighted by the survey is the lack of time and resources available to adequately address cyber risks. About 97% of respondents indicated that they either somewhat or completely lack the time to continuously monitor their security posture and identify potential areas of control failure. This lack of resources hampers their ability to implement comprehensive security measures and respond promptly to threats.
Increasing trend toward outsourcing: The survey also indicates a growing trend among cybersecurity professionals and executives to outsource specific segments of their cyber risk reduction efforts. About 99% of organizations plan to offload segments of cyber risk reduction workstreams or projects to security service providers within the next two years. Driving this trend is the recognition that unknown risks pose a serious concern, and outsourcing can provide the necessary expertise and resources to manage these risks effectively while enabling organizational resources to focus on implementing a broader security strategy.
Ineffectiveness of traditional detection and response: Traditional security measures, such as firewalls and antivirus software, focus primarily on preventing known threats. While these tools are essential, they are often insufficient in dealing with sophisticated and evolving cyber threats. Of the cybersecurity professionals surveyed for this report, 86% told us that unknown organizational cyber risk is currently a top concern—up 22% from our 2023 survey.
"Navigating the balance between budget constraints and the escalating costs of cyber incidents is challenging. However, cybersecurity is not just a cost center," said Chris Morales, Chief Information Security Officer at Netenrich. "It is a critical component of overall business resilience and trust. In addition, security burnout, an escalating issue in the cybersecurity community, has reached a crucial point, especially for security analysts and managers handling their organization's security operations. This burnout is primarily due to the increasing volume of security events and is further exacerbated by a skills shortage and the complexity of managing these newer threats."
Morales continued, "Embracing technology that amplifies IT and security teams' capabilities enables them to stay ahead of threats despite budgetary constraints. The solution is not simply acquiring more tools or hiring more talent but a strategic shift towards a data-driven approach. This approach empowers IT and security professionals, unlocking greater value from existing investments while enhancing the work environment for security and operations teams."
