Our findings from the Benchmark Study revealed several areas that are critical to strengthening your organization’s security posture. This section goes into detail on our findings of where and how CISOs and their peers are putting technology and processes in place (or not) to mitigate the damage that cyber breaches can have on their organizations, under the topics of best practices, architectural approach and breach readiness.
What does it mean to be a CISO day-by-day? What is your charter? Our present survey revealed multiple areas that together determine your organization’s cyber health, including: being practical about risk, setting criteria for budgeting, collaborating across divisions, educating staff, conducting drills, knowing how to track outcomes to inform investments, and being strategic on vendor and solution implementation.
Risk management is table stakes? Hardly. Understanding the risks of cyberattacks, and the compliance landscape that encompasses security breaches, is paramount to understanding how to defend and prepare for the worst. When asked who were very knowledgable about risk and compliance, only 80% of respondents were very knowledgeable. That leaves 20% of security professionals who could possibly use some of that training we discussed earlier. More unknowns – where you least expect them.
“In some areas the risk is not as high because the organization has strong security practices; in other areas we have opportunities to shore up, minimize and close the gap on that risk. And that’s how we make our investment as well as prepare for the next threats. We have to ask ourselves how we can build that foundational architecture to best prepare us for what’s around the corner."
Almost half, or 47% of you, are determining how to control security spending based on organizational security outcome objectives. Measuring outcomes against investments is the best data-driven approach. What’s more, 98% of you strongly or somewhat agree that their executive team has established clear metrics for assessing the effectiveness of their security program. 49% of respondents have metrics that are utilized by multiple areas of their companies to understand the risk-based decisions and improve processes to measure the security effectiveness throughout the organization.
Back to the budget and, aside from outcome-based measurement, as shown in Figure 1 there are some less healthy options: Controlling security spending on previous years’ budgets (46%) and percent of revenue respectively (42%) were both popular choices, but do not necessarily correlate with better security. The breach landscape changes year-to-year, and your previous year’s budget or percent of revenue may have little to do with what it costs to defend against future threats.
The fourth most relied upon approach to determining security spending is cyber insurance: 40% of you are using cyber insurance, at least partly, to set your budgets. Taking this approach begins with a risk assessment to accurately identify your security risks and ensure they can be mitigated by insurance or protected by controls. It may be, for some companies that cyber insurance guidelines can play a role in technology selection and/or budget setting. Either way this merits further investigation in subsequent reports.
Source: Cisco 2019 CISO Benchmark Study
In past surveys, you’ve told us that you split security out from under IT and that you created the role of the CISO. Fortunately, you play well in the sandbox with your networking colleagues. Figure 2 shows us that 95% of you judge yourselves to be very or extremely collaborative between networking and security teams. You’re not working in silos, and this has a tangible financial upside.
How much of a financial incentive? It turns out that 59% of those who were very/extremely collaborative between networking and security experienced a financial impact of their most impactful breach of under $100K – the lowest category of breach cost.
This clearly merits further analysis and possibly points to greater need and possible development of more DevSecOps teams. The collaboration becomes not a matter of coincidence, but a must, especially in the age of Agile development.
And this is recognized at the highest executive levels. According to a recent CIO study published by IDG, “82% of CIOs expect their IT and security strategy to be tightly integrated in the next 3 years.”*
*Source: A Secure Alliance: How the CIO-CISO Relationship Strengthens IT and Business, IDG, February 2019
“What if we train our people and they leave?” goes the question. “What if we don’t do it and they stay?” And the same applies from a security perspective. Yes, we focus on technology, but also we should spend equal time on process and on the people side of the business – because our people are the front-line of helping protect our organizations.
If people/users are cited as the weakest link in security, having a process that starts with onboarding new employees is common sense. Or so you’d think: only 51% rate themselves as doing an excellent job of managing human resources on security via comprehensive employee onboarding and appropriate processes for handling employee transfers and departures. It also seems counter-intuitive that the trend for training staff in the wake of an incident is flat year-on-year at only 39% of respondents.
A disaster striking can be perilous without proper preparations. Potentially there is room for improvement in this area when 61% of organizations perform a drill or exercise every six months to test response plans to cybersecurity incidents (Figure 3.) Drills can bolster the ability to have the proper controls in place to detect and respond as quickly as possible to mitigate damages.
"A lot of what catches people, when they get phished, is an emotional response and that’s what hackers do; they try and provoke an emotional response, and so that’s what we try and do in our phishing simulations with our employees. It’s all context based, and so when an email apparently tells you there’s a package waiting for you, who doesn’t want to send or get a whole lot of packages?"
As the need for an all-encompassing approach to protect from cyber threats has grown, organizations have rushed to acquire multiple point solutions. We know this because in 2018, 21% of respondents had more than 20 vendors and 5% had more than 50. This year that has fallen to 14% and 3% respectively. We’re finding the trend for number of vendors and solutions going down; but as multiple vendor solutions aren’t integrated, and therefore don’t share alert triage and prioritization on limited dashboards, our survey found that even those CISOs with fewer point solutions could better manage their alerts through an enterprise architecture approach.
To better manage alerts, one best security practice is to reduce the number of vendors and point solutions. In 2018 there were 54% of respondents with 10 or fewer vendors in their environment, whereas now this number has risen to 63% (Figure 4.) This means more respondents have fewer vendors; vendor consolidation, for a variety of possible reasons, is real and measurable.
Don’t just take our word for it. This multi- vendor approach (instead of an integrated approach) causes the persistent challenge of alerts to continue: 79% of respondents said it was somewhat or very challenging to orchestrate alerts from multiple vendor products, compared with 74% in 2018 (Figure 5.) Thus, while security professionals are attempting to address vendor sprawl and its attendant issues, managing it has not become easier and needs further improvement to optimize resources. This is where security analytics, machine learning, and AI can greatly help by automating the initial stages of alert prioritization and management. Too bad adoption rates for these new technologies seems to have wobbled slightly this year.
"If we can reduce the vendor footprint and have a more integrated architecture, that helps us significantly. I would rather have more automation on the back-end through an integrated architecture than having to slap something on top of it and write some new scripts to bring it all together."
Although the size of your organization may certainly contribute to your numbers of alerts and vendors, data tells us that fewer vendors can make alert management more efficient (see Figure 6.) At the top end of the funnel, 63% of organizations with only 1-5 vendors and 42% of organizations with 6-10 vendors saw fewer than 5,000 alerts per day. Of course it also might tell us they have alerts turned off.
And reducing the number of vendors you have to manage helps your teams focus on more important work like remediation. Those with fewer than 10 vendors had a higher average response rate, remediating 44% of legitimate alerts, rather than 42%. You gain efficiency by lowering the number of security vendors as shown in Figure 6.
Finally, we found that 65% of organizations that are very up-to-date, and constantly upgrading with the best technologies available, more often experienced a lower count of daily security alerts (up to 10,000 per day). The next best option – to replace or upgrade security technologies on a regular cadence (but not necessarily be equipped with the latest and greatest tools) – had a 60% chance of receiving up to 10,000 alerts per day.
“At the end of the day it is about culling through all the alert information, and this is where we have set Plays to look at information. So, if we start to see a certain type of event this is what’s going to trigger an incident for us"
Talking about too many alerts to anyone in security is like talking about the challenge of traffic to anyone in a major city. It’s bad, we get it, move on. But you generally do something about it: car pool, avoid rush hour, work from home. And alerts are also the key to the unknown and cannot be ignored. Buried in that pile of information is the 1% of threats that get through even the best layered defense.
Here are five findings related to the alert landscape as you related to us:
The good news is over. You’re responding to 50.7% of alerts compared with 55.6% in 2018. This suggests that while some of you are seeing fewer alerts, which feels like it should make the job easier, many are actually responding to fewer of them.
Only 24.1% of alerts that were investigated turned out to be legitimate, down from 34% in 2018. This shows that the accuracy of the tools used to determine which alerts should be investigated are not doing their jobs.
There’s worse news still when we look at alert remediation: there is a dramatic drop from the 2018 survey in the number of legitimate alerts that get remediated – from 50.5% to 42.8% this year.
Put another way and illustrated in Figure 7: if you are one of the organizations that faces up to 10,000 alerts per day, that leaves 1,000 legitimate alerts unattended. Every single day. And that’s just the half (50.7%) you investigated. The case has never been stronger for security threat response tools that can ingest broad data sets, provide visibility into that big data, and provide a means to rapidly take action.
This drop in remediation is crucial given that many of you are moving towards remediation as a key indicator of security effectiveness. The number of respondents who use mean time to detection as a metric decreased from 61% (2018) to 51% (2019) on average. Time to patch has also dropped in focus from 57% (2018) to 40% (2019). The biggest shift is in respondents who focus on time to remediate (48%) as an indicator, which rose from 30% in 2018. This shows a new focus on remediation as a security professional’s KPI to measure their security posture. When you contrast this with the rise in the number of legitimate alerts not being remediated, a drop in investment in machine learning and a slow rise or steady rate in the amount of training, it appears we are in need of more innovation in alert management.
The survey data also revealed that 64% of those that collect data that allows them to measure their time to detect saw 10,000 or fewer daily alerts – the highest cohort in this matrix (see Figure 8.)
Attacks seen in the past year
For the first time this year, we got specific in asking about the types of attacks that CISOs have experienced and we asked about a set list of common attacks. While some have seen highly specific variants of malware such as WannaCry (11%) or threat categories such as wiper malware (15%), the most oft-cited attacks are malware and variants such as ransomware.
“Today 90% of our incidents are still related to malware, or the evolution of malware such as ransomware and similar attacks. And it’s those advanced persistent threats where we don't quite know what that threat vector is yet."
As shown in Figure 9, two of the top three are issues with email security; that remains the #1 threat vector. Whether you are investing in protecting the move to Microsoft Office 365 or trying to better protect against Business Email Compromise (BEC) using DMARC, email is still an area to focus on. That two of the top 10 are insider threat issues (file sharing and stolen credentials), shows that you must look at what’s happening inside as much as outside, and be aware that some criminals can log in rather than break in. This drives the need for better multi-factor authentication (MFA). Nowhere is the need more apparent for balancing the need for security (letting the right people in) with supporting seamless business (not hindering the people you do let in with a clunky user authentication experience).
And as concern with other areas remains high but manageable (such as the move to the cloud), concern about user behavior (e.g., clicking malicious links in email or websites) remains high and is now the top concern for CISOs. When asked about the challenge of defending various parts of their infrastructure, the highest concern was user behavior. This perception of vulnerability has held steady for the past three years between 56 to 57% of respondents.
We also asked which of these types of attacks resulted in some level of breach (loss of data) and received this priority of responses:
Interestingly, the perceptions of risk varied among security-related roles. For instance, the Risk and Compliance Officers consider the biggest vulnerability to be “Targeted Attacks” – these executives are well-aware of the dire consequences a fatal attack could have on continuity of business.
To learn more about what breaches are threatening your organizational stability, read Cisco’s Threat Report 2019.
We’re all aware of the potential consequences of a breach: financial loss (see Figure 10), brand and reputational setback or ruin, shaken stockholder confidence, loss of valuable data, regulatory and non-compliance penalties, and the list goes on. Looking at the year-on-year comparison of data, there is a clear shift towards issues of perception and sentiment; there’s no let up on the need to keep operations running, but customer experience and brand reputation both jumped up as key concerns (Table 1.)
We asked our security professionals to what extent their organizations took precautions to put people, process, and products in place to safeguard their organizations. The results are shown in Figure 11.
Further, we asked what approaches are taken to mitigate security risks, and those results are shown in Figure 12.
And from even more data, we found that although 85% of respondents were very knowledgeable about policies and practices regarding infrastructure security and protection, only 74% were very knowledgeable about business continuity and disaster recovery. Only 75% percent of respondents were very knowledgeable about incident response. This is a problem. 100% of anyone involved in security should be knowledgeable about incident response; and in fact, this can be extended to all employees within an organization. This is where training becomes so vital, and its lack of prominence in this year’s results continues to stand out.
