Today, Critical Start released its second annual Cyber Risk Landscape Peer Report, which explores concerns and challenges around cyber risk mitigation for enterprises. Most notably, the report uncovered that 86% of cybersecurity professionals' top concern is unknown cyber risks versus known threats. This is an increase of 17% compared to last year, signifying a need to advance proactive cyber risk management practices in addition to threat-based detection and response within security programs.
The report finds that the increasingly complex and pervasive cyber threat landscape requires businesses to implement more robust and proactive cybersecurity measures, yet concern around lack of company alignment and visibility persist.
Critical Start's report also examines key themes, such as the increased complexity of cyberattacks, lack of cyber expertise continuing to be a growing issue, and proactive risk mitigation becoming a necessity rather than a nice-to-have.
Here are a few key statistics from the report:
"Peer reports, such as those provided by Critical Start, offer periodic reference points to assess an organization's approach to specific topics compared to others," said Randy Watkins, Chief Technology Officer at Critical Start. "These reports not only highlight current trends and emerging threats, but also help organizations stay updated on the latest developments in cybersecurity. By leveraging data-driven insights, organizational leaders can evaluate potential areas for improvement and drive internal change through informed decision-making."
Watkins pointed to a few additional observations from the report:
Based on this information, Watkins added, more takeaways are:
Here's a snippet of the report, specifically Section 4, Challenges Driving the Evolution of MDR to Shift Left:
Lack of time and resources: A significant challenge highlighted by the survey is the lack of time and resources available to adequately address cyber risks. About 97% of respondents indicated that they either somewhat or completely lack the time to continuously monitor their security posture and identify potential areas of control failure. This lack of resources hampers their ability to implement comprehensive security measures and respond promptly to threats.
Increasing trend toward outsourcing: The survey also indicates a growing trend among cybersecurity professionals and executives to outsource specific segments of their cyber risk reduction efforts. About 99% of organizations plan to offload segments of cyber risk reduction workstreams or projects to security service providers within the next two years. Driving this trend is the recognition that unknown risks pose a serious concern, and outsourcing can provide the necessary expertise and resources to manage these risks effectively while enabling organizational resources to focus on implementing a broader security strategy.
Ineffectiveness of traditional detection and response: Traditional security measures, such as firewalls and antivirus software, focus primarily on preventing known threats. While these tools are essential, they are often insufficient in dealing with sophisticated and evolving cyber threats. Of the cybersecurity professionals surveyed for this report, 86% told us that unknown organizational cyber risk is currently a top concern—up 22% from our 2023 survey.
"Navigating the balance between budget constraints and the escalating costs of cyber incidents is challenging. However, cybersecurity is not just a cost center," said Chris Morales, Chief Information Security Officer at Netenrich. "It is a critical component of overall business resilience and trust. In addition, security burnout, an escalating issue in the cybersecurity community, has reached a crucial point, especially for security analysts and managers handling their organization's security operations. This burnout is primarily due to the increasing volume of security events and is further exacerbated by a skills shortage and the complexity of managing these newer threats."
Morales continued, "Embracing technology that amplifies IT and security teams' capabilities enables them to stay ahead of threats despite budgetary constraints. The solution is not simply acquiring more tools or hiring more talent but a strategic shift towards a data-driven approach. This approach empowers IT and security professionals, unlocking greater value from existing investments while enhancing the work environment for security and operations teams."