Tierney - stock.adobe.com

Supplier consolidation tops infosec goals for 2019

Supplier consolidation, collaboration between networking and security teams, and security awareness are the top priorities for information security professionals trying to prepare for the unknown, annual benchmark study shows

To strengthen their security posture and reduce the risk of breaches, information security professionals are seeking to reduce the number of security technology suppliers they deal with, the Cisco 2019 CISO benchmark study shows.

The annual survey of 3,000 security leaders across 18 countries shows that CISOs are also seeking to increase collaboration between networking and security teams, increase security awareness among employees, migrate to the cloud, and reduce reliance on less proven technologies such as artificial intelligence (AI).

The benchmark study shows that complex security environments, with products from 10 or more security suppliers, could be hampering security professionals’ visibility across their environments, with 65% of respondents saying they find it hard to determine the scope of a compromise, contain it and remediate from exploits.

However, the survey shows a continuing trend away from point products to supplier consolidation. In 2017, only 54% of respondents said they had 10 or fewer suppliers; this has now risen to 63%.

The benchmark report notes that in many environments, multiple supplier solutions are not integrated, and so do not share alert evaluation and prioritisation. The survey shows that even those CISOs with fewer point solutions could manage their alerts better through an enterprise architecture approach.

The unknown threats that exist outside the enterprise in the form of users, data, devices and apps is also a top concern for CISOs. To address these challenges, 45% of those polled have increased investment in security defence technologies, 39% have increased security awareness training among employees, and 39% are focused on implementing risk mitigation techniques.

High financial impact

Survey respondents noted the high financial impact of breaches, with 45% reporting that the financial impact of a breach to their organisation was more than $500,000. While more than 50% are driving breach costs below that level, 8% claimed costs of more than $5m per incident for their most significant breach of the past year.

“More than ever before, CISOs are reporting that they are taking a much more proactive role in reducing their exposure through consolidation and training, as well as investments in critical technologies, for cyber defence and breach containment, but the war is far from over,” said Steve Martino, senior vice-president and chief information security officer at Cisco.

“Security leaders are still struggling to get greater visibility across their organisation and into threats. You can’t protect what you can’t see. Cisco is committed to helping organisations address these challenges and implement new techniques and technology to stay one step ahead of malicious actors and threats.”

The survey shows that the goal of increasing collaboration between network and security teams is being realised, with 95% of respondents reporting that their networking and security teams were “very” or “extremely” collaborative, and 59% said the financial impact from their most serious breach was less than $100,000.

There is more confidence in cloud-delivered security and in securing the cloud, the survey shows, with 93% of CISOs reporting that migrating to the cloud increased efficiency and effectiveness for their teams.

At the same time, the perceived difficulty of protecting cloud infrastructure has decreased from 55% in 2017 to 52% in 2019.

Read more about cyber security priorities

The survey shows that the use of risk assessment and risk metrics that span the business, in part driven by cyber insurance procurement, is playing a growing role in technology selection and has helped CISOs focus on their operational practices, with 40% of respondents using cyber insurance to some degree to set their budgets.

Although 30% of respondents said they have virtually given up trying to stay ahead of malicious threats and bad actors, this figure is down from 46% in 2018. However, the survey report notes that CISOs still face a number of challenges and there is still room for improvement.

While AI and machine learning, used correctly, are essential to the initial stages of alert prioritisation and management, the report said reliance on these technologies has decreased. This is attributed, at least in part, to the fact that CISOs perceive these tools to still be in their infancy or not ready for prime time, with reliance on machine learning down from 77% in 2018 to 67% in 2019.

Similarly, reliance on AI is down from 74% in 2018 to 66% in 2019, while reliance on automation is down from 83% to 75%.

Employees continue to be one of the biggest protection challenges for many CISOs, the survey shows. Having an organisational process that starts with security awareness training on day one is essential, says the report, but only 51% of respondents rate themselves as doing an excellent job of managing employee security via comprehensive onboarding and processes for transfers and departures.

Email security remains the number one threat vector, the survey shows, with phishing and risky user behaviour remaining a top concern for CISOs. The perception of this risk has remained steady for the past three years for between 56% and 57% of respondents. Coupled with low levels of security-related employee awareness programmes, the report says this represents a possible major gap that the security industry can help to address.

Alert management and remediation remains challenging, the survey shows, with a reported drop in remediation of legitimate alerts form 50.5% in 2018 to 42.7% in 2019. The report described this as “concerning” given that many respondents are moving toward remediation as a key indicator of security effectiveness.

Security metrics changing

Security metrics are changing, the survey shows, with the number of respondents who use mean time to detection as a metric for security effectiveness falling from 61% in 2018 to 51% in 2019 on average. Time to patch has also dropped in focus from 57% in 2018 to 40% in 2019, but time to remediate has risen as a metric to 48% compared with 30% in 2018.

The report recommends that CISOs base their security budgeting on measured security outcomes, with practical strategies coupled with cyber insurance and risk assessments to guide their procurement, strategy and management decisions.

There are proven processes that organisations can employ to reduce their exposure and extent of breaches, the report says, recommending that CISO prepare with drills, employ rigorous investigative methods, and know the most expedient methods of recovery.

The only way to understand the underlying security needs of a business case is to collaborate across IT, networking, security and risk and compliance groups, it says.

The report recommends that CISOs: orchestrate response to incidents across disparate tools to move from detection to response more quickly and with less manual coordination; that they combine threat detection with access protection to address insider threat; that they adopt a zero trust approach to security; and that they address the email security threat with phishing training, multifactor authentication, advanced spam filtering and domain-based message authentication, reporting and conformance (Dmarc) to defend against business email compromise (BEC).

Read more on Hackers and cybercrime prevention