This morning, Critical Start released its first ever Cyber Risk Landscape Peer Report, which explores some of the major concerns and challenges currently confronting cybersecurity leaders as they manage risk within their organizations. The report also examines the amount of risk that organizations are willing to accept, resource constraints, and key priorities for approaching cyber risk in the future.
Results of the study, conducted in partnership with research consultancy Censuswide, reveal that businesses are struggling to understand their cyber risks, with 66% of respondents indicating they have limited visibility and insight into their cyber risk profiles, hindering their ability to prioritize investments and allocate resources effectively.
Amidst an environment of ever-evolving cyber threats, there is a strong need to progress how the industry approaches cyber protection for businesses to better equip security leaders during a period of staffing shortages and burnout. This is evident as 67% of organizations experienced a breach requiring attention within the last two years despite having traditional threat-based security measures in place. Further, 61% of security executives expressed concerns over the current misalignment between cybersecurity investments and their organization's risk reduction priorities.
Additional key findings from the Cyber Risk Landscape Peer Report include:
- The cybersecurity landscape and what cyber leaders need is changing: 83% of organizations agree that a comprehensive, cyber risk reduction strategy will yield a reduction in the likelihood of a significant cyber incident occurring.
- Organizations are looking to be more proactive: 74% of organizations are planning to prioritize proactive risk reduction strategies to stay ahead of the evolving threat landscape.
- Cyber teams are seeking help: 93% of organizations plan to offload specific segments of cyber risk reduction workstreams or projects to security service providers within the next two years.
- Organizations see a need for holistic cyber risk management solutions: 93% of organizations expressed the belief that a holistic, evidenced based approach to cyber risk management will yield a reduction in the likelihood of a significant cyber incident occurring. This includes integrating risk assessment, protection, detection, response, and recovery into a cohesive strategy.
Here are some comments on the cyber risk landscape from cybersecurity vendor experts.
Mika Aalto, Co-Founder and CEO at Hoxhunt:
"Today, most security leaders admit that data breaches are a question of 'when,' not 'if,' because most have responded to an incident within the past few years. The 'it could never happen here' mentality disappears when data breaches, usually from phishing attacks, are literally happening everywhere, in every industry, to companies of all sizes. What's important now is for executive leadership to have that same sense of urgency as infosec leaders. CEOs need to work hand-in-hand with CISOs and foster a security culture where human risk—which is by far the greatest source of risk—is actively measured, managed, and mitigated.
The attack surface expands exponentially when individual employees and outsourced business functions are working out in the wild on multiple devices, any one of which can be transformed by a threat actor into a gateway to the system with one bad click. Security teams can mitigate that risk by adding capabilities such as endpoint detection and response, auto-updates and patching, MFA, and zero trust practices. However, it ultimately comes down to hardening the human layer, so people can catch sophisticated attacks that evade technical protections.
It's critical to accept innovative approaches to managing human risk because the pillars of cyber risk management, such as cyber insurance, have been wobbled by a threat landscape that is quickly evolving into a real monster with the introduction of advanced technologies and increasingly sophisticated tactics and criminal organization. But while the cybersecurity game has changed, the key players remain the same: it's all about employees. That's who the attackers are going after. So should we with our solutions. The human layer of security can and should re-think people as an untapped security resource. It's vital to take a risk-based approach goes far beyond mere compliance and extends into protect-detect-respond capabilities."
Piyush Pandey, CEO at Pathlock:
"Many organizations that we speak with are looking to increase the visibility required to make risk-based decision-making when it comes to securing their critical business applications. This means leveraging automation and technologies like AI to help them manage risk at scale, with consistency and in an informed manner which doesn't require time consuming, costly manual reviews.
We are seeing more and more organizations increasing their budgets around the testing, monitoring, and enforcement of their controls, such as application access and application security configurations. With proper access governance and application security controls, the potential risks for cyber breach or data loss is significantly reduced.
Organizations need a plan which outlines their strategy for securing the company's most important assets that is line with their business objectives. Part of this plan also needs to outline the 'cost of doing nothing'—the impact of a breach or data loss—that essentially becomes their 'why' from the outset.
The C-Suite are going to be major stakeholders moving forward. Cybersecurity leaders should closely align with the line of business leaders who are running the core business applications (ERP, financials, HR, supply chain, CRM) which are housing the critical data which often ends up being the company's most important asset to project. These line of business leaders will be involved in ensuring the proper access strategies to enable the business, but also to meet security and compliance requirements for controls and configurations."