Reduce cyber risk with security posture management

Leaders in risk-based cybersecurity go beyond NIST, applying proactive practices that significantly business reduce risk and improve the bottom line.

Cybersecurity is at a crossroads. In the last few years, a convergence of forces has reshaped the industry in fundamental ways, and security teams are now grappling with challenges on a scale never seen before. The threat landscape has exploded. Threat vectors have multiplied and diversified. Threat actors are more numerous, organized, and capable—empowered by a vast ecosystem of providers, tools, and services (e.g., malware-as-a-service) that cater to experts and novices alike. Cyberattacks are more frequent, destructive, and insidious—and are increasingly targeting not just IT systems but also supply chains, third-party software, and operational technology (OT), including critical infrastructure. Zero-day exploits are on the rise, as are nation-state attacks fueled by the Russia-Ukraine war.

Simultaneously, the rapid adoption of new technologies driven by digital transformation, cloud migration, the hybrid work culture, and the IIoT (industrial internet-of-things) boom has left security teams scrambling to manage an expanding attack surface and skyrocketing vulnerabilities. All of this is happening at a time of severe resource constraints, made worse by an uncertain economy and chronic cybersecurity talent shortages aggravated by widespread burnout and the “great resignation.” Functional silos within organizations—between IT and OT, for example, and between network, cloud, and security teams—further hamper efficient, coordinated action.

Cyber threats are multiplying, and so are risks

• 40% of chief security officers say their organizations are not well prepared for today’s rapidly evolving threat landscape.
• Risk managers rank cyber threats as the number-one business risk in 2022, higher than business interruptions, natural disasters, or pandemics.
• New cryptojacking and ransomware programs increased by 75% and 42% respectively, in 2021.
• OT vulnerabilities leaped 88% in 2021.
• Companies experienced an average of 270 attacks in 2021, up 31% over 2020.
• The number of data breaches broke records in 2021, jumping 68% year over year.
• The average cost of data breaches hit $4.24 million in 2021, up nearly 10% from 2020.
• Zero-day attacks nearly doubled in 2021.
• The average time to detect and respond to cyberattacks grew to 280 days in 2021.

Clearly, the status quo is unsustainable. The threat landscape has evolved dramatically while cybersecurity practices have lagged behind. It is not simply a matter of tweaking the existing paradigm or spending more money while maintaining business as usual. Traditional methods are far too little, too late in an era of exponentially increasing risks. No wonder 29% of CISOs and 40% of chief security officers say their organizations are not well prepared for today’s rapidly shifting threat landscape.

As worrisome as that may sound, there is cause for optimism. A select group of organizations are flipping the narrative, jettisoning the old scattershot, reactive model, and turning cybersecurity into a rigorous, precise process that can successfully identify and reduce risks proactively, with demonstrably better outcomes. Combining a risk-based approach with a maturity model boosts cybersecurity results. Our research shows that organizations that excel in the areas of risk-based management saw fewer incidents and material breaches than others in both 2020 and 2021.

Looking more closely at the ingredients of a risk-based approach and the specific practices that distinguish risk-oriented organizations from their less proficient peers, the benchmark study found that risk-based leaders excelled in seven key areas beyond the NIST framework:

• Attack surface visibility and context
• Attack simulation
• Exposure analysis
• Risk scoring
• Vulnerability assessments
• Research (threat intelligence)
• Technology assessments and consolidation

For full research citations and in-depth analysis, download the report.