It’s one thing to point out the many challenges that today’s cybersecurity organizations face, and it’s another to identify concrete actions that companies are using to counter the rising tide of threats. That’s why a recently released global benchmarking study, Cybersecurity Solutions for A Riskier World, is so significant. It doesn’t simply diagnose the problems CISOs and their teams are wrestling with; it offers a practical prescription for reducing risks and hardening security.
The study is one of the largest such research efforts ever undertaken. It surveyed CISOs and other C-level decision makers at 1,200 major organizations worldwide, taking an in-depth look at their cybersecurity investments, programs, and performance. The researchers analyzed the effectiveness of various risk-reduction strategies and identified the ones that lead to demonstrably better cybersecurity outcomes. The report describes the best practices that distinguish top-performing cybersecurity organizations from their less successful counterparts.
As a technical director working closely with client organizations, I’m struck by how closely the study’s conclusions dovetail with the experience of Skybox customers.
Six recommended best practices that have helped Skybox-customer organizations dramatically improve their security posture and manage risks more effectively.
(1) Take cybersecurity maturity to highest level
The report leaves no doubt that when it comes to cybersecurity, maturity matters. The researchers found a strong correlation between companies’ maturity, as measured by the NIST (National Institute of Standards and Technology) framework, and their performance on key cybersecurity metrics.
Maturity doesn’t happen by accident. It takes a concerted effort and adherence to a framework such as NIST. While many companies are aware of such frameworks, they’re not always doing much to implement them. It requires a solid commitment to pursue maturity goals—with clear milestones, metrics, and accountability on the part of key stakeholders. At the same time, organizations must be realistic and scale their maturity timelines and targets to their budgets and resources.
(2) Build a rigorous risk-based approach
While maturity is necessary, it’s not sufficient. The study found that the most successful organizations are those that go beyond maturity frameworks and embrace “a risk-based approach—i.e., make decisions to mitigate, transfer, or accept a risk based on its probability and potential impact.”
A risk-based approach depends fundamentally on the ability to identify and weigh relative risks with accuracy. Rather than indiscriminately patching vulnerabilities, organizations need a reliable way to zero in on the issues that pose the biggest hazard to the business, and they need to prioritize remediation efforts accordingly. Traditional methods relying on blanket scanning and patching are too time-consuming, cumbersome, and costly. They waste precious resources on non-issues (such as vulnerabilities that aren’t exposed to attack or that inflict no damage if compromised) while overlooking bigger perils.
Likewise, traditional risk scoring methods that focus primarily on the severity of vulnerabilities and don’t account for critical factors like exposure and asset importance are incapable of measuring actual risk. Instead, a rigorous risk-based approach requires advanced multi-factor scoring that includes exposure analysis and, ideally, measures the financial impacts of compromised assets. This detailed cyber risk quantification, provided by Skybox’s latest solutions, enables security teams to concentrate their efforts more precisely and efficiently than ever before.
The benefits of a true risk-based approach are substantial. The benchmark study found that risk-based leaders suffered fewer breaches than other organizations and were also better at responding to and mitigating breaches when they did occur.
Our research shows that organizations that excel in the areas of risk-based management saw fewer incidents and material breaches than others in both 2020 and 2021.”
"Cybersecurity Solutions for A Riskier World"
ThoughtLab, May 2022
(3) Build an integrated platform of the latest technologies
The tactics, techniques, and procedures (TTP) used by threat actors have evolved rapidly in recent years. Sophisticated exploits are now accessible even to novice hackers, thanks to a booming malware marketplace serving up a panoply of products and services to would-be cybercriminals. Cybersecurity teams who are still using older tools and methods are getting outflanked and urgently need to modernize.
The benchmark study advises a multilayer approach combining best-of-breed cybersecurity technologies from multiple vendors, but it warns against “getting lost in a blizzard of technologies.” As tools and technologies multiply and diversify—and as attack surfaces expand to encompass IT and OT systems, on-premises, cloud, and multi-cloud environments—it’s getting much more difficult to keep track of assets, sniff out vulnerabilities, orchestrate remediations, and ensure that security policies are aligned and consistent across an organization’s whole estate.
(4) Improve security controls for expanded attack surfaces
This follows directly from the previous recommendation. As attack surfaces sprawl, new approaches are needed to provide a more comprehensive view across complex heterogeneous environments. That requires the ability to collect information on assets, configurations, and vulnerabilities from a multitude of sources such as network and security infrastructure, public and private clouds; patch and asset management systems; EDR solutions, threat intelligence feeds, OT passive scanning solutions. All of this data can then be consolidated in a holistic network model, enabling a comprehensive analysis and understanding of the entire network environment. This is an area where Skybox’s vulnerability and policy management excel.
(5) Prioritize protection of linked IT/OT assets
Operational technology has become a major cybersecurity concern as OT and IT networks converge. Formerly air-gapped OT systems are being exposed to attack as they’re connected to IT networks and the internet for purposes of remote management, control, and optimization. Many of these systems lack robust (or any) security controls. Threat actors are aware of these weaknesses and are taking advantage, launching increasingly destructive attacks on critical infrastructure and other OT assets.
Since scanning and patching many OT systems is impossible or impractical, new-generation solutions such as Skybox’s combine active scanning with non-intrusive scanless detection and mitigations, including network segmentation, configuration adjustments, and IPS signatures.
(6) Harness automation
Traditional manual cybersecurity processes have become untenable in an era of skyrocketing complexity and snowballing threats, compounded by chronic talent shortages and tight budgets. And yet many organizations continue to rely labor-intensive practices that have changed little in the last decade.
That’s ironic, given that automated tools are readily available that can make short work of many complex tasks. Skybox’s automated solutions, for example, streamline a wide variety of essential activities, including:
- Asset and vulnerability discovery
- Network modeling and analysis
- Risk scoring
- Remediation workflows
- Compliance and policy verification
- Change management
- Tracking and reporting
Skybox solutions can perform many these functions with little or no human intervention, saving untold hours of labor, cutting costs, and reducing burnout, while freeing up staff to focus on more strategic priorities. Moreover, by making processes more repeatable and controllable, automation eliminates the human error that, as the benchmark study points out, is responsible for a large percentage of breaches. Automation likewise prevents unauthorized changes from taking place and improves policy compliance. The overall ROI is enormous.