For many organizations it's no longer just about assessing cyber risk, but also the maturity of their cybersecurity programs.
Some 80% of organizations see value in conducting a cyber-risk assessment, while 65% go a step further and assess their cyber maturity, according to the newly released ISACA State of Cybersecurity 2021 report Part 2.
Enterprises performing these assessments are more likely to have sufficiently staffed security teams and are also more likely to have well-funded cybersecurity budgets, the report shows. And respondents with a pulse on security-program measurement and maturity are more than two times more confident in the ability of their enterprise to detect and respond to cyberattacks.
"This was the first time we measured cyber maturity and we found that enterprises are taking cybersecurity seriously, and they are drilling down to monitor and take a hard look as to whether their security processes are working as intended," says Karen Heslop, senior director of content development at ISACA.
Heslop says companies can opt to drill down into the details of their security operations by using ISACA’s CMMI Cybermaturity Platform or the NIST Cybersecurity Framework. By using these models, companies can pinpoint areas of deficiency and identify what they need to work on.
But it's not always so simple. Some 30% of respondents in the ISACA study cite the challenge of integrating risk with maturity and keeping up with industry threats and trends, while 29% have difficulty differentiating maturity from compliance to management; and 27% find it hard to obtain the organizational expertise necessary to understand and assess maturity.
Meanwhile, ISACA’s survey found that the number of attacks on enterprises increased 35% over the past year. And new data from other reports show more alarming attack trends.
The new EY Global Information Security Survey 2021 found that 43% of cyber leaders say they have never been as concerned as they are now about their ability to manage cyber threats, and 77% warn they have seen an increase in the number of disruptive attacks – especially ransomware – over the past 12 months. This compares with a 59% response from last year's survey by EY.
"The speed of change that businesses have had to adopt to this past year came with a heavy price," says Kris Lovejoy, global consulting cybersecurity leader at EY. "The need to rapidly transform to survive meant that security was often overlooked. The risks of simply moving on, especially as businesses look to maintain some of these working practices in the post-COVID-19 era, without addressing these cyber gaps, are very real and increasingly urgent. Recent ransomware events only serve to underscore how critical immediate action is."
Technology-wise some 34% of respondents in the ISACA survey say they are now using artificial intelligence and machine learning in their security operations.
"This ties in to all the high numbers we have been seeing around the need for cybersecurity talent," Heslop says. "Companies are looking to automate the manual processes at the SOC and let the SOC team members focus on higher-level design and analysis work."
Just how the COVID-19 pandemic has shaped security strategy remains unclear, however. There was conflicting data on the impact of the pandemic on enterprises.
The ISACA report found that only 12% deployed the SASE model as a result of the pandemic and just 23% deployed the zero-trust model. These numbers are somewhat surprising given the high buzz these technologies get from security pros, but ISACA's Heslop says to keep in mind that some enterprises could have deployed SASE and zero-trust prior to the pandemic.
Meanwhile, a recent FireMon survey shows 43% of retail industry organizations say that the pandemic has accelerated their IT infrastructure transition to the cloud, while security teams are dealing with increased complexity due to the subsequent increase in cloud-based apps. Some 81% of respondents in retail have already implemented or planning to implement a zero-trust architecture in the next two years, according to that survey.