News

'Alarming Stat': 90% of Security Leaders See Risk Efforts Coming Up Short

• By David Ramel
• 09/14/2022

A new report on security priorities contains an "alarming stat" about how security leaders see their organizations when it comes to cybersecurity risks.

"The research found that an overwhelming majority (90 percent) of security leaders believe their organization is falling short in addressing cybersecurity risk," said Foundry, a media/marketing/tech firm, in announcing its 2022 Security Priorities Study, which for the sixth year examines the security-related priorities that IT/security leaders are focused on or plan to focus on.

However, that finding isn't actually new or surprising.

"90 percent of respondents say they believe their organization is falling short addressing cyber risks; this alarming stat is consistent with last year's results," the survey-based report said.

As far as how those leaders feel their organizations are specifically falling short, respondents reported:

• Difficulty convincing all, or parts of our organization, of the severity of the risks we face
• Not investing enough resources (budget, people, technologies, etc.) to address the risks we face
• Struggle to find, acquire, and/or retain the technical or professional expertise we need
• Not proactive enough when it comes to security strategy
• Security is not always addressed during application development
• Inadequate security training for users (full and part-time employees, contractors, or outsourced users)

A Sept. 13 post provides more information on how to convince all parts of an organization about risk severity and persuade them to invest enough resources to address those risks: "To overcome these obstacles, security leaders are prioritizing becoming prepared to respond to security incidents, upgrading their IT and data security, and improving the security awareness among their end-users."

The report covers cybersecurity challenges, recent incidents, budgets, cyber insurance and more, with these key takeaways (in bold) presented by Foundry, along with related data from the report:

• 87 percent of security leaders are aware of what caused their security incidents in the past year, with the majority saying they are due to non-malicious user error (34 percent.)

  

  Noting that most security incidents still stem from mistakes, the report said: "Non-malicious user error remains the most commonly cited cause of security incidents, but the percentage citing this factor dropped significantly, at 34 percent this year compared to 44 percent in 2021. Progress? Perhaps. With Zero Trust continuing to make headway ... it's possible that the impact or 'blast radius' of user error is gradually being diminished. When asked about the reasons for the reported shortfall in overall defensive effort, security leaders cited a wide variety of factors, with eight problems mentioned by at least 20 percent, but no problem rising above 27 percent."

• When asked what security-related challenges are most often forcing leaders to redirect their time, meeting the demands of regulatory compliance is at the top (28 percent), next to employee awareness and training issues (27 percent), and unanticipated business risks (25 percent.) The report noted that the latter item about unanticipated business risks was the top challenge last year. As far as training issues, those might be related to the longstanding skills dearth that is always mentioned as a top challenge in such reports.

  "The security skills shortage continues to impact a large portion of organizations," Foundry said. "Almost half (45 percent) of IT leaders are addressing it by asking current staff to take on more responsibilities and utilizing technologies that automate security priorities. Forty-two percent are outsourcing security functions, while 36 percent are increasing compensation and improving benefits. Comparing company size, half of enterprises are asking current staff to take on more responsibilities, and 37 percent of SMBs are doing the same."

  

  The graphic below shows regional differences related to the skills gap.

  

  Furthermore, "More regulation and compliance requirements to mitigate security risks is a positive step but is clearly creating challenges for organizations under equipped to deal with these changes," said Foundry exec Bob Bragdon. "As security leaders navigate a competitive workforce, they are also looking to their security technology partners to create more efficient and automated practices that make sense for their business and employees."

• To overcome their challenges, security leaders continue to allocate a significant amount of their overall IT budget to security -- an annual average of $65 million. This number increases for enterprises to $122 million and decreases for small businesses at $16 million. The small business budget has tripled from 2020 from $5.5 million.

  

• Security leaders are researching various technologies to spend their budget on and to help them mitigate corporate risk. The top 5 are: SOAR (34 percent), Zero Trust technologies (32 percent), SASE (32 percent), deception technologies (30 percent), and ransomware brokers (30 percent.)

  "Security Orchestration, Automation and Response (SOAR) is respondents' top-ranked technology category on their radar or that they are actively researching (32 percent)," the report said. "Extended Detection and Response (XDR), for automated analysis of endpoint and cloud data in particular, ranks fifth on the same list (28 percent). Identity Threat Detection and Response (ITDR) garners a similar level of interest -- that's more automation.

  Foundry exec Bragdon commented: "Everything I hear is much more focused on automation and orchestration -- not just in SOAR but across everything."

  As far as Zero Trust, the report said that approach is still accelerating.

  

  "Industry prophets were saying 'the perimeter is dead' well before the year 2000; Zero Trust has emerged as the name for the model that's (finally) reaching critical mass in replacing the old perimetercentric approach," the report said. "Zero Trust architectures and technologies are steadily working their way into corporate security."

• For risk protection, about half of respondents now hold a cyber insurance policy or policies. On a scale of 1 (least satisfied) to 10 (most satisfied), respondents' average rating of the cyber insurance process is 7.9 -- a number that would indicate high satisfaction with this coverage overall.

  "A different form of risk transfer, cyber insurance, has even more traction, with about half of respondents reporting that they now hold a policy or policies," the report said. "On a scale of 1 (least satisfied) to 10 (most satisfied), respondents' average rating of the insurance process is 7.9 -- a number that would indicate high satisfaction with this coverage overall."

  

  "As much as people like to complain about insurance, when you ask the specifics, they're not terribly put out by it," Bragdon said. The report said the main complaints are what one might expect for any kind of insurance purchase: 49 percent agree or strongly agree that their policy is too expensive, and 35 percent agree or strongly agree that the insurance policy process demands too much effort.

  Among companies that do have a policy, 17 percent overall said they have filed a cyber insurance claim, but this varies considerably by size and region. Among enterprises (1,000+ employees), 26 percent have filed a claim, compared to just 9 percent of smaller companies. In EMEA, it's 32 percent, versus 12 percent of North American companies."

The report from Foundry (formerly called IDG Communications) is based on an online survey of audiences of five company media brands conducted June through August of this year. Results are based on 872 global respondents who are involved in IT and/or corporate/physical security decisions.