Many organizations are still struggling to adopt a more risk-focused approach to cybersecurity, although the need for it has been recognized for years.
Some familiar issues have been holding them back, including infrastructure complexity, third-party risks, understaffing, resource shortages, and — most significantly — not measuring cyber-risks and their impact on business.
Security vendor Tenable recently commissioned the Ponemon Institute to evaluate how enterprises are measuring and managing cyber-risk.
The poll of 2,410 IT and security practitioners in the US and other countries showed that a depressingly large number of organizations are continuing to experience business-disrupting cyber incidents — some of them multiple times over a relatively short time. Ninety-one percent of the companies surveyed reported experiencing a damaging cyberattack over the past two years; 60% had two or more.
Thirty-one percent experienced a data breach involving 10,000 or more customer or employee records in the last two years. A substantially larger 52% — more than half of all organizations surveyed — expect they'll experience a breach of this magnitude in 2019.
"At a time when business-disrupting cyber events are impacting almost all organizations, CISOs are unable to confidently quantify cyber-risk's impact to business operations," says Bob Huber, CISO of Tenable. "This is leaving the C-suite and boards of directors without actionable insight to make decisions" to alleviate business risk.
The Tenable survey showed that, with a couple of exceptions, the threats that organizations are most worried about are the same as they have been for the past several years. The top concerns this year were malware, with 48% saying they had experienced at least one malware attack in the past two years; third-party risks (41%); and leakage of emails and other business confidential information (34%).
Worries over some threats, however, appear to be spiking. Sixty-four percent — nearly two-thirds — ranked third-party risks as their top concern for 2019. The number is significantly larger than the 41% that actually reported a security incident involving a third party over the past two years.
Similar spikes were apparent in other areas as well. For example, 56% identified an attack on Internet of Things or operational technology (OT) assets as their biggest cybersecurity concern for 2019, though just 23% reported experiencing an actual attack of this type in the past 24 months. Economic espionage and attacks that disrupt OT infrastructure are also top-of-mind concerns for 2019.
Significantly, for all the hype around nation-state attacks, fewer organizations (13%) expect to experience one in 2019 than the 15% who said they already had become victims of one in the past two years.
The reasons for the overall pessimism appear tied to long-standing factors. Though organizations represented in the survey had 19 employees, on average, involved in vulnerability management, 58% still felt they did not have adequate staffing to scan for vulnerabilities — including publicly disclosed ones — in a timely fashion. Somewhat unsurprisingly, a nearly identical proportion (59%) said they had no set schedule for vulnerability scanning or did not scan at all.
The Tenable/Ponemon survey showed that a substantially high percentage of organizations are struggling to keep pace with the stealth and sophistication of attackers, reduce complexity in their IT security infrastructure, improve third-party controls, and control access to sensitive data.
While such factors have heightened the need for more risk-focused approaches to cybersecurity, Tenable's survey showed that many organizations are still only just getting there.
Risk Measurement & Management: Work in Progress
"While some organizations are making strides in improving their security maturity and mapping cybersecurity strategies to the business, there is still room for improvement," Huber says.
For example, despite the enormous financial implications of data breaches and other security incidents, many organizations still have a poor understanding of the business costs of cyber-risks.
Less than half of the organizations represented in the survey — some 1,110 — claimed they measured and therefore understood the business impact of cyber-risks. Of that, only 41% were required to report that analysis to their board and business leaders. More than six in 10 did not believe their measures were very accurate.
In general, more respondents claimed to understand the importance of certain key performance indicators in understanding risk than are actually using them. For example, 70% and 64%, respectively, considered metrics about the time to remediate risk and the time to assess cyber-risk as important key performance indicators (KPIs). However, 46% and 49%, respectively, are using them.
The same gap was evident in the use of KPIs to measure the business impact of a cyber incident. Sixty-eight percent believed it was important to have a way to measure loss of revenue resulting from a cyber incident, but only 56% actually are using KPIs to do that. Seventy percent said KPIs for measuring loss of productivity were critical even though only 48% are actually using them.
Exacerbating the situation is the fact that the KPIs that organizations are using are designed for on-premises infrastructure and therefore are inadequate for current environments that include a mix of traditional IT, cloud, IoT, containers, and OT, Huber says.
Most KPIs are too technology focused and don't fully take into account the financial and business implications, Huber says. Often, the metrics are tactical rather than strategic in nature and are not very effective at helping organizations mitigate risk, he says.
"Put another way, current cyber KPIs don't consider business outcomes and fall far short of reflecting digital business and digital transformation," Huber notes. "The most common KPIs for cyber-risk and business risk don't correlate right now, and that's a gap."
While CISOs and other security leaders are typically responsible for deploying patches and managing vulnerabilities, they have relatively less influence in determining investments and strategies for vulnerability management. CISOs are most involved in evaluating cyber-risk at only 17% of the organizations represented in the survey — compared with CIOs at 36%.
"In the digital era, cyber-risk is now business risk, and that means CISOs must be able to measure their exposure and map it back to business outcomes," Huber says.