Enterprise Strategy Group (ESG), a leading IT analyst, research, and strategy firm, and a division of TechTarget, Inc., today announced new research into security hygiene and posture management – a foundational part of a strong security program. The study reveals that many aspects of cybersecurity are managed independently and with antiquated tools, leaving organizations with limited visibility and weak defenses against an ever-evolving threat landscape. Since strong cybersecurity starts with the basics, like knowing about all IT assets deployed, this situation makes organizations vulnerable to advanced threats among strategic, yet often hurried, cloud and digital transformation initiatives.
The new report, Security Hygiene and Posture Management, summarizes a survey of 398 IT and cybersecurity professionals responsible for evaluating, purchasing, and utilizing products and services for security hygiene and posture management, including vulnerability management, asset management, attack surface management, and security testing tools. The data reveals that organizations must aim to further assess security posture management processes, examine vendor risk management requirements, and test security tool and processes more frequently.
Among the most troubling findings from this study:
- 73% of organizations admit that spreadsheets remain a key aspect of security hygiene and posture management. Today’s threat landscape is far too dynamic to be managed by such rudimentary techniques.
- 69% of organizations admit that they have experienced at least one cyber-attack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset (e.g., web server, web application, VPN gateway, or open port). Cyber-adversaries are easily out-maneuvering IT organizations that leave assets defenseless.
- 40% of security professionals say that conflicting data makes it difficult to get an accurate picture of assets, and 39% report that it is difficult to keep up with thousands of changing assets. Organizations cannot manage and protect these resources without an accurate picture of what they are and where they reside.
- 57% agreed that their organization sometimes struggles to know which assets are business-critical. This lack of visibility means cybersecurity and IT teams are challenged to prioritize their efforts to protect the systems that are most important to business operations.
As an answer to these issues, the study concludes that the next few years will see innovation around a new platform category that ESG refers to as security observability, prioritization, and validation (SOPV). SOPV will aggregate security hygiene and posture management data, calculate risk scores, prioritize remediation actions based on risk and asset criticality, closely align with the MITRE ATT&CK framework, and even test security controls and processes. As SOPV tools mature, they will become the de facto CISO dashboard for communicating cyber-risk to the business.
“While security hygiene and posture management is critical, this research reveals that organizations don’t have a clear picture of their technology assets, and they have limited understanding of the state of those devices, systems, and applications,” says Senior Principal Analyst & ESG Fellow Jon Oltsik. “This puts organizations at risk because they lack the right information needed for sound cyber-risk mitigation decisions. While this situation is critical, I do see some promising developments and innovation around SOPV technologies over the next 12 to 18 months. CISOs should be proactively addressing security hygiene and posture management and researching SOPV solutions as soon as possible.”
For more information on this new research, please visit ESG’s website.
Enterprise Strategy Group (ESG) is an integrated technology analysis, research, and strategy firm providing market intelligence, actionable insight, and go-to-market content services to the global technology community. It is increasingly recognized as one of the world’s leading analyst firms in helping technology vendors make strategic decisions across their go-to-market programs through factual, peer-based research. ESG is a division of TechTarget, Inc. (Nasdaq: TTGT), the global leader in purchase intent-driven marketing and sales services focused on delivering business impact for enterprise technology companies.