Arraya Insights | May 11, 2020
Looking for some insight into what your peers are doing (and seeing) as they work to keep their own organizations secure? One resource worth checking out is Cisco’s 2020 CISO Benchmark Study. In compiling this incarnation of its yearly tradition, Cisco crowd-sourced the knowledge and experiences of more than 2,800 technology decision-makers from around the world. The result is an informative and frequently eye-opening report from the frontlines of the never-ending fight against cyber criminals.
Here are nine points from the report that stood out to the Arraya team:
- Cyber security still a top priority – but trending down? Never fear, an overwhelming majority (89%) of participants confirmed that their executive leadership teams still see security as a top organizational priority. While it is overwhelming, that number is also trending down, dropping about 7% across the previous four years. The reason for the decline isn’t immediately clear. However, it could be a sign that security leaders must be prepared to do even more to get their concerns and asks in front of other executives.
- Breaking bad news to the C-suite. Statistics (and not just those inside Cisco’s report) have a huge role to play in cyber security conversations, especially when something goes wrong. Metrics like time to patch, time to contain and time to detect all speak volumes in this regard. Yet, during conversations following an incident, most IT leaders choose to lead with time to remediate. More than half (57.2%) of security leaders acknowledged using that as their go-to stat in conversations with other executives about security issues.
- ‘An ounce of prevention …’ Sure, it may be a cliché, but it also accurately describes that way in which cyber security spend has gone lately. Cisco’s report broke security spend down into five categories: Identify, Protect, Detect, Respond and Recover. The amount of budget allocated to identifying threats rose by roughly 6% from last year to this one. Spend dedicated to protecting against and detecting threats remained mostly unchanged from 2019 levels. Response and recovery spend, however, both declined from 2019 to 2020 indicating organizations are open to upping budgets as long as the increase goes toward keeping the bad guys at bay.
- Where do data breaches hurt most? Often we think of data breaches in terms of their financial fallout or the damage they can do to an organization’s brand. While each can undoubtedly take a major hit following an incident, security pros named another area as the one most likely to be affected. Cisco’s findings listed operations as the business function most impacted when a breach occurs. Operations (36%) just edged out reputation (33%) and finances (28%) to take home the top spot. If there is ever any dispute as to whether or not security must be a multi-disciplinary concern, the multi-disciplinary fallout of a breach should put it to rest.
- Reining in the financial fallout of breaches. Finances may not bear the brunt of a data breach, but the impact is hardly negligible. Cisco’s researchers found six practices helped organizations reduce the financial fallout of a data breach. These steps included:
- formally reviewing and honing security practices regularly
- habitually auditing network connection activity and network security interactions
- integrating security into the organization’s business posture
- deep diving into the cause of and response to security incidents
- integrating security solutions into an intelligent, interconnected web
- keeping threat detection and blocking solutions up to date
- Quantifying the ROI of patches. Patching has a way of getting pushed to the bottom of to-do lists, but the consequences of allowing that to happen can be great. Cisco’s team found that 46% of organizations suffered a cyber security incident that originated from a missed patch. That’s up 16% from the prior year. Furthermore, 68% of organizations that fell victim to a breach starting with an unpatched vulnerability wound up losing 10,000 data files or more. Among those who dealt with a breach stemming from other causes, only 41% reported similar consequences. If patching can’t seem to find its way up IT’s list of priorities, it might be worth offloading the responsibility to an outside partner to avoid comparable results.
- Moving toward fewer vendors, less complexity. Over the last three years, organizations have gravitated toward vendor consolidation. In this year’s report, 86% of organizations said they fell into the smallest category (one to 20 vendors). That represents a jump from 79% two years earlier. Part of this decrease may be driven by a desire to provide some relief to technology teams facing increasingly complex workloads. Fewer organizations believe it’s easy to manage their multi-vendor environments, down from 26% to 17%, while the number of those who see it as very challenging has gone up by 8%. Reducing the compatibility and communication issues often associated with pooling technologies from a multitude of vendors is a great way to put time back in IT’s hands for other projects.
- Addressing the root cause(s) of cyber security fatigue. Cisco observed security alert follow-ups at their lowest in more than four years, dropping to just 48% this year. That’s a lot of warnings going uninvestigated. This could have something to do with the fact that 42% of respondents also professed to have cyber security fatigue. What’s causing that fatigue? Well, 93% of sufferers say they receive more than 5,000 security alerts every day. Further, only 26% of investigations turn up a legitimate incident, meaning security pros are dealing with a huge number of false positives. Environmental complexity may also be an issue. More than 9-in-10 (96%) of fatigue-sufferers described managing multi-vendor environments as a challenge. AI, or even an outside partner, can be a valuable way to ensure alerts are looked into without increasing workloads or fatigue.
- MFA usage still dangerously low. One almost throwaway statistic that stood out was that only 27% of organizations that participated in that study are securing their environment with multi-factor authentication. That seems far too low for something that should be on its way to becoming table stakes for securing identities and access at this point.
Next Steps: Transforming Cisco’s lessons in real world action
There are plenty more insights and real world lessons to be found in Cisco’s 2020 CISO Benchmark Study. When you’ve finished reading, be sure to reach out to Arraya’s cyber security team to begin putting your takeaways into action. Our team can provide the strategic guidance and hands-on skills needed to help your organization modernize and enhance its security posture.
Visit https://www.arrayasolutions.com/contact-us/ to connect with our team now.
Follow us to stay up to date on our industry insights and unique IT learning opportunities.