5 Critical Take-Aways from ESG’s Cybersecurity Survey

Your lack of sleep has probably made you all too familiar with your concerns regarding cybersecurity hygiene and posture management. But a look at what keeps your peers up at night might make a difference in your own point of view. That’s what makes ESG’s recent survey of 398 IT and cybersecurity professionals in North America so potentially enlightening. It not only lets you know where other professionals stand on critical aspects of IT security, but it may also have you looking more closely at some aspects of your program. And at a time when CISOs are increasingly charged with reducing business risk, that’s not a bad thing. 

“Security Hygiene and Posture Management,” released in October, outlines key concerns and motivators across multiple security dimensions. A few stood out to us, and that’s what we’ll cover here: 

1. Security hygiene and posture management are priorities, but security organizations are making things harder than they need to. Nearly nine out of 10 organizations (86%) believe they follow the best security hygiene and posture management practices, and 84% prioritize hygiene and posture management on mission-critical assets. Sounds promising until you factor in that 70% of respondents say their organization uses more than ten different tools just for this purpose, which is likely to lead to data management headaches if it hasn’t already. Meanwhile, 73% still rely on spreadsheets for handling these important enterprise functions, even as 69% complain that security hygiene and posture management have become more difficult over the past two years. It doesn’t help that IT landscapes are growing more complex. Also, 81% of security professionals told Gartner they have a multi-cloud strategy, which in most cases only adds to their data silo problem.  
2. Organizations are working on getting a complete picture of their attack surface, though nearly half are doing so for compliance reasons. A full two-thirds (67%) of organizations told ESG their attack surface has increased over the past two years, thanks mostly to an increase in IT connections with third parties, greater device diversity, and increased use of public cloud platforms. Faced with this growth, it’s smart to use technology as the eyes and years of your network—so smart, in fact, it’s one of the five dimensions of security resilience. But the ESG survey found nearly half (49%) of organizations cite regulatory compliance mandates as the reason for gaining a comprehensive view of their attack surface. That’s certainly a good reason, but other reasons—are to reduce the risk of ransomware attacks (46%), to discover external assets to then apply the proper security controls (43%), and to accommodate a constantly changing attack surface (40%)—may be even more compelling. Notes the report: “CISOs must also understand adversaries may be continuously scanning their organization’s attack surface with automated tools as part of the reconnaissance phase of cyber attacks.” ESG’s advice? Make it harder on attackers by safeguarding internet-facing assets and reducing your attack surface. This leads us to the next point.  
3. Keeping up with soaring vulnerabilities is the No. 1 vulnerability management challenge—with automating VM processes running a close second. A record-breaking 20,130 software vulnerabilities were reported in 2021, a staggering figure that averages out to be 55 new vulns a day. So it’s not surprising that keeping up with all those new vulnerabilities is listed as the top VM challenge (30%). And it’s just as unsurprising that nearly as many (29%) also see as a key challenge the ability to automate key VM processes (discovery, prioritization, dispatch to owner, and remediation). And although cybersecurity automation is famously difficult, many solutions available today have automated previously manual tasks, including and especially doing away with those spreadsheets mentioned in point No.1. 
4. Risk-based vulnerability management is gaining ground. When it comes to determining which vulnerabilities to patch, approaches vary. One-third (34%) of professionals base their decision on “specific vendor products,” presumably scanners offering a prioritization feature, which usually just repackages CVSS scores (we’ll get to that later). Another 31% say they prioritize vulns designated as “critical” by impacted software vendors like Microsoft or VMware. And one in five (20%) use CVSS scores, which recent research has revealed is no more effective at reducing an organization’s exploitability than just patching vulns at random. But there’s good news. ESG reports that 28% of respondents recommend gaining insight into asset exploitability, exposure, and impact on critical systems to understand the underlying business risk posed by critical visibility. That’s risk-based vulnerability management those professionals are talking about—and it’s the future of VM. (Our own research with Cyentia Institute had shown incorporating exploit code into risk-based prioritization is 11 times more effective than CVSS in minimizing your organization’s exploitability.) “This means correlating VM and asset data with threat intelligence,” notes ESG. 
5. Taking specific actions can help improve your vulnerability management game—and reduce your risk. ESG found that survey respondents propose a few specific measures to shore up that all-important VM program.

• • Integrate VM with other IT programs (35%). 
  • Establish KPIs, metrics, and reports to help communicate the importance of an effective VM program (30%). 
  • Provide more VM training (28%).
  • Focus on asset exploitability, exposure, and impact so you can prioritize the fixes that make the biggest difference in reducing risk (28%). 
  • Ensure your external attack surface discovery is up to date (28%). 

It’s always illuminating to learn what your peers think about the very challenges you’re facing, and how they are working to overcome them. One thing’s for certain, however: Those trying to solve new problems with old solutions are likely careening toward disappointment or worse. The days of CVSS scores and spreadsheets are long past. Next-level problems require next-level solutions. 

Discover what Cisco is doing to solve new-world problems for business leaders looking to bolster their security operations and navigate unknown threats and change with confidence.