RSA CONFERENCE 2020 - San Francisco - The security team, instead of operating in silos, can lower overall post-breach costs if it collaborates with other teams across the organization.
Cybersecurity is still a top priority for executive leadership, researchers say in Cisco's "2020 CISO Benchmark Report." The survey of 2,800 IT decision-makers reveals key trends and pain points as companies face issues such as alert fatigue, mobile security, and private cloud security.
Ninety percent of respondents agree business executives have created clear metrics for assessing the effectiveness of a security program. Time-to-detect ranks highest as a key performance indicator (KPI); however, for reporting to the C-suite or board, time-to-remediate is equally key because it represents the total impact of an incident: downtime, records affected, cost of investigation, lost revenue, lost customers, lost opportunities, and out-of-pocket costs.
Organizations reporting more than 100,000 records compromised in their most severe breach grew from 15% in 2019 to more than 19% in 2020. A major incident has the greatest effect on business operations (36%), followed by brand reputation (33%), finances (28%), intellectual property (27%), customer retention (27%), and supplier relationship (26%), researchers found.
Alert fatigue is a major issue when you consider the number of security products cluttering enterprise environments. There is a gradual trend to reduce complexity through vendor consolidation, with 86% of businesses using up to 20 vendors, and only 13% using more than 20. In 2019, 15% of companies used more than 20 vendors; in 2018, that number was up to 21%.
"We're starting to see this move toward fewer consoles and move toward greater collaboration with other teams," says Wolf Goerlich, advisory CISO with Duo Security (now under Cisco). "CISOs who act on those two trends have better outcomes for the organization."
As companies consolidate their vendor use, they voice a greater challenge to handle the tools they have: 28% feel managing a multivendor environment is "very challenging," up from 20% in 2017. More than half (53%) feel it's "somewhat challenging" and fewer (17%) say the process is easy. "My team is stretched beyond the capabilities for which they can be effective," says Ben Munroe, director of product at Cisco, of common customer concerns.
Respondents who report alert fatigue are more likely to struggle in a multivendor environment: Of those who claim fatigue, 93% receive at least 5,000 alerts per day. The amount of companies receiving 5,000 or fewer alerts per day dropped from 50% in 2017 to 36% in 2020; during the same time frame, the amount receiving 100,000+ daily alerts grew from 11% to 17%.
Network, Security Collaboration Cuts Costs
More than 91% of respondents say they are "very" or "extremely" collaborative; collaboration between endpoint and security teams is also high, at 87%. This trend can have financial benefits in the aftermath of a breach. In 2020, 59% of companies that say they are very/extremely collaborative between networking and security teams experienced a financial impact under $100,000 for their biggest breach, the lowest category offered for breach cost.
"A lot of it has to do with dwell time: How do we detect what's going on in our environment; how do we remediate what's going on in our environment," Goerlich explains. "To detect, you have to have a really solid understanding of what's going on in our networks and the cloud infrastructure we're plugged into."
And who better to detect than the subject matter experts? The networking team has a better understanding of the environment; as a result, team members know what's typical and what isn't. "There's a reduction in time to detect because they understand what normal looks like, so they can help us understand what abnormal behaviors are," he continues.
The networking team can also help stop threats. When a security operations center analyst spots an event, often because good practices they won't pull out the equipment. They'll pass this off to the subject matter experts, and the networking team takes over for quarantine, remediation, and cleanup.
"When you have those tight collaborations, you can say, 'This is what we see, this is what needs to happen,' and the handoff is much smoother," Goerlich says.
Key Concerns: Unpatched Vulnerabilities, Private Cloud
Forty-six percent of businesses report a security incident caused by an unpatched flaw, up from 30% in last year's study. Of those that suffered a major breach due to an unpatched bug, 68% suffered data loss of 10,000 records or more — significantly more than the 41% that lost the same amount due to breaches from other causes.
Mobile security is another key concern for this year's study: 52% of respondents say mobile devices are now "very" or "extremely" challenging to defend. Half of respondents say the same about securing private cloud infrastructure, and 41% say the same about securing network infrastructure.
Building on Data: Cisco SecureX Launch
Alongside its release of its "2020 CISO Benchmark Report," Cisco today launched a new security platform, SecureX. This is meant to connect Cisco security products with the tools in existing enterprise infrastructure, to improve visibility for endpoints, applications, networks, and cloud. The idea is to provide a single view of threat detections and policy violations in one place.
"Fatigued organizations, an overwhelming number of alerts, a need for automation [are] directly reflected in the way we have brought SecureX to market," says Munroe.
SecureX can scan data and traffic from Amazon Web Services, Microsoft Azure, and Google Cloud, along with private data centers. Security operations teams can share context with IT operations and network operations to create and strengthen security policies across workflows, facilitating the level of collaboration that can potentially drive down the cost of an incident.