Cybersecurity benchmark study reveals risk-based approach prevents security breaches

In a time of rising threats and constrained resources, what are the most effective steps that cybersecurity organizations can take to manage and mitigate risk? Which people, process, and technology investments are the most effective? Every CISO would like to know. While opinions, hypotheses, and hunches abound, conclusive evidence has been hard to come by. That is why Skybox sponsored the largest global cybersecurity benchmarking study of its kind.

Cybersecurity Solutions for a Riskier World brings a new level of data-driven clarity to some of the most pressing issues facing cybersecurity executives. Sponsored by a broad coalition of companies including Skybox Security, Booz Allen Hamilton, Claroty, Elastic, KnowBe4, ServiceNow, and others, ThoughtLab researchers conducted the largest cybersecurity benchmarking study of C-level decision makers within 1,200 companies across 14 industry sectors and 16 countries.

The study surveyed C-level decisions makers including CISOs, CIOs, and Chief Risk and Compliances officers about their cybersecurity investments, practices, and performance.  In addition to the quantitative data, ThoughtLab conducted qualitative interviews with CISOs and the report includes case studies from companies such as Southern Company, Delta Airlines, Texas Health Resources, University of Maryland Medical Systems, and more. The study offers invaluable insights into the current state of cybersecurity, and the best-practices companies are using to identify and stem cyber risks.

Cyber attacks and breaches are climbing

The study found that attacks and breaches surged in 2021 (a fact that our Skybox Research Lab also pointed out in our recent Vulnerability and Threat Trends Report). The number of overall incidents increased 15.1%, while material breaches leaped by 24.5%. When breaches occurred, they took a significant toll. Affected organizations reported that the greatest impact was reputational loss, followed by business disruption, followed by the cost of the breach response.

Organizations that experienced the most significant breaches pointed to four main causes:

• Human error (cited by 50% of organizations)
• Misconfigurations (49%)
• Unknown assets (44%)
• Poor maintenance/cyber hygiene (43%)

These are issues we see with our customers every day. They come to Skybox to gain full visibility and understanding of their attack surface through our network modeling technology. They can then leverage automation to verify and monitor security controls, configurations, and more on a continuous basis.

To learn about cybersecurity benchmarking investments, results, and best practices, attend the CISO panel webinar on May 25, 11 am EST:

Almost half of organizations that had no material breaches in 2021 took a risk-based approach

While the average number of breaches that organizations experienced rose dramatically in 2021, a select subset had few or no breaches at all. Two factors set these organizations apart, according to the report. First, they apply the cybersecurity framework developed by NIST (National Institute of Standards and Technology). The NIST framework provides guidelines that help companies to evaluate and increase their cybersecurity maturity.

The second differentiator was what the researchers call “a risk-based approach.”

In other words, while it’s important for companies to measure and maximize cybersecurity maturity, it’s not enough. NIST and similar frameworks are focused on reactive measures such as detecting and responding to vulnerabilities and attacks after the fact. A risk-based approach goes further, emphasizing proactive steps that enable organizations to anticipate, identify, and mitigate risks in advance.

The numbers make a convincing case. The report found that organizations that go beyond the NIST framework and excel in risk-based strategies and practices had fewer breaches in 2021. Moreover:

• 48% of organizations that had no breaches in 2021 were leaders in risk-based cybersecurity
• 50% of the top performers in time to mitigate a breach were risk-based approach leaders
• 46% of the top performers in time to respond to a breach were risk-based approach leaders

Not all industries are equal when it comes to implementing risk-based practices. According to the report, life sciences, financial services, and automotive companies are the most advanced, while healthcare, manufacturing, and media and entertainment are the least mature.

Ingredients of a risk-based approach

So what, exactly, does a risk-based approach consist of? The study discovered that leaders in risk-based cybersecurity scored the highest in the following areas and more:

• Attack surface visibility and context
• Attack simulation
• Exposure analysis
• Risk scoring
• Vulnerability assessments

This makes sense. These capabilities are the foundation of proactive security posture management. They provide organizations with a level of understanding—of their attack surface, their greatest risks, and how to manage them—that has been sorely lacking in traditional approaches. And they directly address key causes of breaches as identified by the study, such as misconfigurations, unknown assets, and poor cyber hygiene.

Delving deeper into the report

These are just a few of the highlights from Cybersecurity Solutions for a Riskier World, which offers a wealth of insight and actionable guidance for forward-thinking security leaders. We’ll be digging deeper into the report’s findings and implications in this special blog series: Subscribe to our blog for more.