RSA CONFERENCE — San Francisco — Security hygiene and software supply-chain/vendor risk have emerged as the top two security priorities for chief information security officers (CISOs) at medium-sized organizations, new research has revealed.
That's according to Forgepoint Capital, which surveyed CISOs across a spectrum of industries and sizes. For organizations with 50 to 1,000 employees, security hygiene is seen as particularly critical, according to the data.
"Most breaches are due to unpatched systems, misconfigurations, poor passwords, and other easily avoidable issues," the report, shared with Dark Reading at the 2022 RSA Conference this week, pointed out. "Typically, organizations of this size don’t have the budget to build multiple backups and failovers, with real scenarios where a security incident can put the company out of business."
That said, there was notable variance across industry segments. For instance, zero percent of respondents in the healthcare vertical cited security hygiene as a priority.
"It's not that they think that nurses don't need to worry about passwords," says Will Lin, managing director of Forgepoint. "It's that security responsibility is much more distributed than in other industries. If I'm, say, BlueCross BlueShield, I can't control the password requirements and security hygiene of all the subsidiaries I have. It's each one's own responsibility to do it. I have to prioritize what I can actually solve."
There's a different narrative for professional services firms, where more than 80% said security hygiene is a top focus.
"They're exactly the opposite from healthcare," Lin says. "They're responsible for the security of all their consultants. These are all my employees, I need to do it. So that's why it becomes the highest priority for this group."
Cybersecurity Workforce Shortage
Meanwhile, CISOs at organizations with less than 50 employees cited talent development and social-engineering awareness as their top two priorities, with the ongoing cybersecurity workforce shortage of particular concern.
"Talent departure and social-engineering attacks can have major ramifications," according to the report. "Due to the small size of their employee base, these companies can realistically affect more change by focusing on human capital than a large organization can. As companies grow larger, no matter how much access control is established, threat vectors will remain. Thus, the focus shifts from personnel to security automation and incident response."
When examining CISOs' views of security prioritization by industry, the survey found that all security professionals prioritize areas with the highest return on investment (ROI). For example, 50% of professional services companies marked security hygiene as an essential focus, but healthcare professionals are focused more on the software supply chain and third-party vendor risk, such as the security of connected medical devices, given its bigger tie to ROI in their field.
Cloud Migration and Digital Transformation
Forgepoint also found that cloud migration is driving security prioritization for medium-sized businesses in particular, with 73% of survey respondents noting that it's a factor in 75% or more of their efforts. In contrast, just 13% of very large businesses (more than 10,000 employees) and 43% of large businesses (1,000 to 10,000 employees) said the same. For businesses with fewer than 50 employees, half of them said the move to the cloud is driving 75% of their security choices.
"Very large companies, surprisingly enough, are actually the furthest behind cloud migration," Lin tells Dark Reading. "And the smaller companies are further along in cloud migration. The big companies have a lot of legacy infrastructure, so it's going to take them a much longer time to move to the cloud, while smaller companies are more cloud native, and they're trying to cut costs, which the cloud helps with."
Digital transformation also emerged as a top security motivator for CISOs in every industry except for professional services — likely due to the ongoing reality of remote working forcing businesses to embrace software-as-a-service and other corporate working apps.
This is driving a new security focus on securing application programming interfaces (APIs, cited by 62% of all respondents) and DevSecOps for embedding security into application development (cited by 54%).
Areas of Control and Cyber Insurance
Survey respondents said traditional access control areas like data security (40%) and identity (41%) are still top priorities for organizations. But more than a quarter (28%) of CISOs highlighted an emerging area, cyber insurance, as a top control area of interest.
With ransomware, malware, APTs, and other cyberattacks at all-time highs, organizations of all sizes are considering investing in cyber insurance — however, it's a painful process, Lin says, especially as many insurance firms don't cover ransomware incidents, and the application process can be onerous and dictate where precious security dollars are invested.
"The cost of cyber insurance is going up, and the coverage is going down," Lin says. "And perhaps most of all, the questionnaires that cyber insurance companies give companies to fill out in order to determine how expensive coverage will be don't provide a representational picture of how good of a bet insuring a company is."
For instance, many require companies to have multifactor authentication (MFA) on all accounts in order to qualify for affordable coverage — but its across-the-board implementation at the expense of other efforts (patching, for instance) may not be the best approach for defending the business.
"Companies themselves often don't know how effective their controls are, so how could a cyber insurance underwriter be predictive?" Lin says. "If the question is, do you have an MFA on everything, companies can never check yes to that. Because there are some places where you can't have MFA. It's just not physically possible. Or, in some cases the app that's doing all the authentication might not have an MFA feature enabled. So they have to click no, and when they do, they immediately see a premium increase."
Meanwhile, just 24% of all respondents cited monitoring threat intelligence as a priority — which is a function of it being perceived as difficult to operationalize, Lin says.
"The key issue is, even like organizations like Google have no idea what to do with all of the telemetry and data," Lin said. "Companies simply have a tough time figuring out what to do with their threat intel — it's just the actionability of it."
Overall, the survey also found that three-quarters (76%) of CISO survey respondents say they expect security budgets to increase this year.
"As cybersecurity budgets increase, it’s expected that budgets will become more flexible to accommodate new and emerging products that defy the limitations of the currently identified categories," Forgepoint concluded.