CISO research shows cybersecurity organizations prioritizing risk reduction outperform others

Skybox Security just published a new report, Reduce cyber risk with security posture management. The report outlines how leaders in risk-based cybersecurity go beyond frameworks like NIST, applying proactive practices that significantly reduce risk and improve the bottom line. It also reveals the best practices that risk-based leaders undertake and the measurable business benefits of risk-based approaches.

Over the past few years, organizations on average saw a big uptick in incidents and material breaches. However, a distinct subset had few or no breaches at all.¹ What sets these exceptional organizations apart? The firms with fewer breaches were different from the rest of the pack in two fundamental respects:

1. First, they tended to rank higher in cybersecurity progress as measured by the NIST framework. The framework, developed by the National Institute of Standards and Technology, provides guidelines that help companies evaluate and improve their cybersecurity maturity in activities such as detecting and responding to incidents.²
2. Beyond the NIST framework, organizations with no breaches took “a risk-based approach” to cybersecurity.

Risk-based leaders have fewer breaches and are faster in mitigating and resolving breaches

The benefits of a risk-based approach are clear. Leading risk-based organizations experienced fewer incidents and fewer material breaches in 2020 and 2021. Forty-eight percent of organizations with no breaches in 2021 were risk-based leaders. Not only were risk-based leaders less likely to be breached, but they were also better at mitigating and responding to breaches that do occur. Fifty percent of the top performers in time to mitigate a breach and 46% of the top performers in time to respond to a breach were risk-based leaders.

The ingredients of a risk-based approach

Looking more closely at the ingredients of a risk-based approach and the specific practices that distinguish risk-oriented organizations from their less proficient peers, risk-based leaders excel in seven key areas beyond the NIST framework:

• Attack surface visibility and context
• Attack simulation
• Exposure analysis
• Risk scoring
• Vulnerability assessments
• Research (threat intelligence)
• Technology assessments and consolidation

The overall effect of these risk-based techniques is transformative. Adopting a risk-based approach can unlock a host of benefits for cybersecurity teams and businesses as a whole. Powered by next-generation automated solutions, risk-based management puts cybersecurity on an entirely new and stronger footing. It enables organizations to get out of firefighting mode and get ahead of threats, shifting the dynamic:

The business case for a risk-based approach to cybersecurity

By improving efficiencies and reducing workloads, automated risk-based solutions can help companies trim costs while accomplishing more, boosting productivity in a time of tight resources and economic instability.

In addition, techniques including cyber risk quantification (CRQ) eliminate guesswork of traditional cybersecurity and support improved, data-driven decision-making, prioritization, and forecasting. CRQ can also help demonstrate the benefits and justify investments in risk-based cybersecurity to CEOs and boards.

Armed with hard numbers, CISOs can make a powerful business case. They can communicate the organization’s risk exposure — and potential losses if breached — in financial terms. And they can document the costly inefficiencies of traditional scattershot security practices and quantify the enormous savings that are possible with precise, prioritized, proactive security posture management.

Get the new report here:

References

[1] Cybersecurity solutions for a riskier world, ThoughtLab, May 2022
[2] NIST Cybersecurity Framework, National Institute of Standards and Technology