7 Insights from Cisco’s 2019 CISO Benchmark Study
To help CISOs better anticipate the challenges they face in their role, Cisco released a new chapter in its Cybersecurity Series – the 2019 CISO Benchmark Study: Anticipating the Unknowns. Surveying over 3,200 security leaders across 18 countries, this report observes trends affecting CISOs and cybersecurity teams over the past year. Focusing on “unknowns” in security, the report identifies the insider threat as one of the most serious risks to organizations.
Overall, the report shows that security teams have made significant strides in boosting defenses, detecting cybersecurity threats, and containing data breaches. But the unknown still looms in the form of internal threats and outside attackers.
“I think for most people who are in security, what keeps us up at night is the unknown. When I think about what I must protect on a daily basis, we have a fantastic team and very capable technology, but we are focusing on the knowns, and the real threat is the unknowns.”
– Marisa Chancellor, Senior Director, Security & Trust Organization, Cisco
In addition to insider threats, the study examines trends and changes in the industry in areas where CISOs should hone their efforts.
Here are the top seven takeaways from the report that can help inform your organization’s security posture.
1. The role of a CISO is as challenging as ever
Every CISO faces the challenge of creating a balancing act; you want to combat security threats, but you also don’t want to upset the organizational culture or prevent employees from doing their jobs effectively. How to establish this balance is different for every CISO – it depends heavily on your organization’s culture and industry. But there are common challenges that CISOs face, including:
- The negative impact of breaches on finances, reputation, data security, customer satisfaction, and business continuity
- Substantial losses that lead to higher risk scores for insurability
- An overabundance of vendor solutions that create competing alerts
- IT silos that make security integration difficult
- A serious talent shortage of security IT personnel
- The constant appearance of new threats, whether internal, external, or otherwise
Plus, CISOs also must consider new technologies like artificial intelligence and machine learning, improving the training process to mitigate the human risk, and the shift towards cloud-based computing.
2. Machine learning, artificial intelligence, and automation saw a decline
Surprisingly, reliance on machine learning, artificial intelligence, and automation decreased from the previous year. This could be due to a lack of confidence and certainty with developing technologies. Decreased reports of dependence on AI could also be due to widespread adoption and integration, leading users to feel it’s not worth identifying as a critical factor in business processes. And the lessened reliance on automation may stem from organizations selectively, rather than fully, automating.
Regardless, the report later notes that these three technologies are critical in treating alerts from multiple vendors.
3. IT security teams are inundated with alerts
CISOs reported an overabundance of alerts from the wide array of security tools and products organizations deploy. This year’s report showed that 14% of respondents had more than 20 vendors, while 3% had over 50. While these numbers have declined slightly from last year, even those with fewer vendors are still struggling to integrate their tools.
Alert influx is a persistent challenge – 79% of respondents said that it was “somewhat or very challenging” to orchestrate alerts from multiple vendors. However, technology and vendor consolidation allows organizations to better manage these alerts. Security analytics, AI, and machine learning are all helping to automate and prioritize alerts at the initial stage to ease management and deliver critical alerts to the right people.
“If we can reduce the vendor footprint and have a more integrated architecture, that helps us significantly.”
– Marisa Chancellor, Senior Director, Security & Trust Organization, Cisco
To reduce the deluge of alerts, organizations are consolidating and integrating tools to prioritize alert management. Now is when security teams should reflect on their defensive measures to ensure they’re implementing a defense-in-depth approach for maximum security.
4. Is collaboration the key to reducing data breach costs?
The 2019 CISO Benchmark Study found that 95% of CISOs reported being “very or extremely collaborative between networking and security teams” across the enterprise – and that 59% also experienced the lowest financial impact from breaches at less than $100,000. Does this mean that every CISO needs to immediately develop a DevSecOps team? Possibly. While correlation does not imply causation, 82% of CIOs did say they’ll tightly integrate IT and security in the next three years, which indicates that collaboration is a wise move.
5. Humans are the weakest security link
Training is critical for reducing the number of security incidents. To mitigate the weakest link in security, onboarding coupled with continuous training and development programs can keep employees informed on the latest security threats and how to handle them. However, only 51% of respondents rated themselves as doing an excellent job of managing security through onboarding and proper procedures for employee transfers and departures. This indicates a clear need for many organizations to improve their training, which can help organizations make significant strides in decreasing security risks.
Technology is essential, in other words, but it’s nothing without educated, security-conscious people behind it.
6. False positives are a problem
While the trend indicates a shift towards fewer alerts, many (35%) are still seeing between 10,000 and 500,000 alerts every day. The problem lies in the fact that teams only responded to 50% of alerts, which is down from 2018. If just one of those alerts is a serious threat, that means you’re opening yourself up to cybersecurity risks. And the ones you do investigate could be false positives. In fact, only 24% of alerts that were investigated turned out to be legitimate – another decrease from last year. Even worse, the percentage of legitimate alerts that were remediated decreased from 51% to 43%.
The case is stronger than ever for security threat response tools that take in a wide array of data, enable deep visibility and insights, and give you actionable responses to remediate the situation.
“You strive to understand how to get visibility into unknowns such as the new threats that are coming in – or even from within your own environment: unknown devices, apps, data. If you can’t see it, you can’t protect it.”
– Marisa Chancellor, Senior Director, Security & Trust Organization, Cisco
7. Malware and email security are still the most common attacks – and now, so are insiders
Malware and its variants, like ransomware, were the most commonly experienced security attacks, at 49%. Two of the top three security attacks that CISOs faced last year involved email security, and two of the top 10 involved insider threats. Organizations need to focus on what’s happening internally on networks just as much (if not more so) than threats originating from outside their walls.
Moving forward: The state of cybersecurity and CISOs
While some of the study’s findings are troublesome, the outlook is not entirely dour; the cost of the most impactful breaches stayed about the same, and most CISOs reported breaches of less than $500,000, meaning costs are slightly down or under control. Cloud security confidence is up, and 93% of respondents agree that cloud solutions have increased efficiency and effectiveness across their organization. Fewer people believe it’s difficult to protect cloud infrastructure, making it easier to defend networks from cyberattacks. While cyber fatigue (completely giving up on trying to stay ahead of malicious threats and bad actors) is on the higher side, it saw a considerable drop from just last year.
To wrap up the 2019 CISO Benchmark Study, Cisco offers recommendations for organizations to consider when building an effective security posture. For example, collaboration across siloes – IT, networking, compliance, and security – can solidify a business’ security posture and address any gaps. Also, procedures such as employee practice drills and rigorous investigations can reduce the exposure to and extent of breaches. Another suggestion is to automate more efforts using machine learning and AI; this can streamline the workflow and boost your security efforts exponentially.
Addressing and mitigating the unknowns in cybersecurity is possible, but it requires work and dedication. To discover more of Cisco’s recommendations for dealing with the unknown, or to read the full report, please visit Cisco’s Cybersecurity Report Series.