Skybox Security collaborated with ThoughtLab, an innovative thought leadership and economic research firm, to conduct a comprehensive benchmarking study on the cybersecurity investments, practices, and performance results of 1,200 companies across 14 industries in 16 countries. Peer group sessions and interviews with cybersecurity experts from around the world were also conducted. Released May 2022, the research report provides insights on which people, processes and technology-related approaches deliver the best results, revealing 10 best practices that can reduce the probability of incidents and material breaches or quicken the time to detect, respond to, and mitigate an attack.
(1) Take cybersecurity maturity to the highest level
Organizations that are most advanced in applying the NIST cybersecurity framework outperform others on key metrics, such as number of material breaches, time to detect a breach, and time to mitigate.
(2) Ensure cybersecurity budgets are adequate
Research analysis found a clear correlation between investment and results. Respondents reporting no material breaches in 2021 spent an average of 12.8% of their IT budgets on cybersecurity, while those reporting multiple breaches spent 12.3% (a difference of $4.7 million given IT budgets averaged $946 million in 2021). Organizations that spent more also had better times to detect and mitigate.
(3) Build a rigorous risk-based approach
On average, leaders in risk-based management saw fewer incidents and material breaches than beginners in 2021 (22.5 incidents and 0.75 material breaches for leaders vs. 27.1 incidents and 0.88 material breaches). Over 4 out of 10 risk-based leaders embrace Zero Trust principles. Risk-based leaders were more mature in areas such as attack surface visibility and context, attack simulation, exposure analysis, wrist scoring, and vulnerability assessments.
Assess cyber risk, gain insight, make smart cybersecurity decisions
(4) Make cybersecurity people-centric
Cybersecurity is as much about humans as it is about technology. Organizations see fewer breaches and faster times to respond when they build a human layer of security, create a culture sensitive to cybersecurity risks, provide more effective training, and develop clear processes for recruiting and retaining cyber staff.
(5) Secure the supply chain
For 44% of respondents, the growing use of suppliers is exposing them to major cybersecurity risks. Top performers in time to detect, respond, and mitigate are far more mature in supply chain security. For example, over half of organizations with excellent times to detect are advanced in supply chain security vs. 25% of those with poor times to detect.
(6) Draw on latest technology, but avoid product proliferation
Organizations with no breaches invest in a variety of technologies, from the fundamentals such email security and identity management, to more specialized solutions such as cloud access security brokers, cyber risk models, and SIEMs. Security leaders are more likely to take a multi-layered, multi-vendor approach to monitor and manage risks better through a strong infrastructure. They also favor consolidation over product proliferation: 35% with no breaches consolidate infrastructure and tools vs. 28% with multiple material breaches.
(7) Prioritize protection of linked IT and OT assets
With digital and physical worlds converging, the attack surfaces for respondents are widening. Organizations that prioritize protection of interconnected IT and OT assets experience fewer material breaches and faster times to detect and respond. For example, 36% of top performers in time to detect have invested in prioritizing IT and OT asset protection vs. 27% of poor performers.
(8) Harness intelligent automation
Automation, combined with AI and machine learning, helps CISOs deliver results while freeing up staff from mundane tasks. For example, about 3 out of 10 organizations with excellent dwell times use smart automation vs. 17% of organizations with poor dwell times
Automation will become even more critically important going forward. The war for talent is tough in our discipline, and automation can help you fill in the gaps when you don’t have all of the people that you need all of the time. Automation also helps you retain talent, because they can avoid working on lower-level tasks. Work becomes less monotonous.”
(9) Improve controls for expanded attack surfaces
Attack surfaces widened during the pandemic. Yet multiple metrics tracked by respondents show insufficient use of security controls. For example, only 26% of the respondents’ clients now use multifactor authentication, and the percentages of servers with MFA are even lower (23%). Only 31% of users are monitored by user behavior analytics.
(10) Do more to measure performance
Currently organizations just track four to five metrics on average. Security leaders and executive teams that are more assiduous—monitoring six or more metrics—experience fewer incidents and material breaches. They also respond faster to attacks.
To read best practice case studies and get a deeper dive on the benchmark study results you can access the full report here: