Lately, Critical Start released its second annual Cyber Risk Landscape Peer Report, which explores concerns and challenges around cyber risk mitigation for enterprises. According to the survey, 86% of respondents said that unknown risks were currently a top security concern for their companies, which is up 17% from the same study in 2023.
The study, which polled some 1,000 cybersecurity professionals across various sectors, found that in many cases network defenders will be more likely to invest their resources in third-party services that offer defenses against threats not yet known or widely publicized.
The report finds that the increasingly complex and pervasive cyber threat landscape requires businesses to implement more robust and proactive cybersecurity measures yet concern around lack of company alignment and visibility persists.
Critical Start’s report also examines key topics, such as the increased complexity of cyberattacks, lack of cyber expertise continuing to be a growing issue, and proactive risk mitigation becoming a necessity rather than a nice-to-have.
Here are a few key statistics from the report:
- Cyberattacks are not slowing down: 83% of cybersecurity professionals reported experiencing a breach incident requiring attention, despite having traditional threat-based detect and respond security measures—a significant increase from previous years.
- Cyber expertise is a growing issue: In 2023, we reported that 37% of cybersecurity professionals cited a lack of expertise as a challenge in effective cyber risk management. This year, that number rose to 50%.
- Businesses seeking support to become more proactive: 99% of respondents plan to implement a managed cyber risk reduction (MCRR) solution to continuously monitor and mitigate cyber risks. 99% of these same organizations are planning to offload segments of cyber risk reduction projects to security providers, which is an increase of 8% compared to 2023.
- Proactive risk reduction, the new normal: The report found that 81% of organizations are planning to prioritize proactive risk reduction strategies to stay ahead of the evolving threat landscape. This includes continuous risk monitoring, threat intelligence integration, and timely incident response.
Randy Watkins, Chief Technology Officer at Critical Start, underlined a few additional observations from the report:
- The lack of visibility into assets creates unprotected entry points for attackers. Only 29% of respondents report having full visibility into their asset inventory. This gap in asset protection also affects any third-party services used to enhance an organization’s detection and response capabilities.
- Despite having traditional security measures in place, 83% of surveyed security professionals reported experiencing a cyber breach requiring attention. This not only underscores the advancement of cyberattacks but may also indicate issues with product deployment or configuration.
- Organizations need to move beyond broadly deployed traditional security measures and adopt a more proactive approach based on frequent internal and third-party risk assessments.
- Develop a consistent and reliable asset visibility practice to ensure complete deployment of security controls, including detection and protection.
- Align investments with risk reduction, focusing on critical assets such as data and business processes.
Here’s a snippet of the report, specifically Section 4, Challenges Driving the Evolution of MDR to Shift Left:
Lack of time and resources: A significant challenge highlighted by the survey is the lack of time and resources available to adequately address cyber risks. About 97% of respondents indicated that they either somewhat or completely lack the time to continuously monitor their security posture and identify potential areas of control failure. This lack of resources hampers their ability to implement comprehensive security measures and respond promptly to threats.
Increasing trend toward outsourcing: The survey also indicates a growing trend among cybersecurity professionals and executives to outsource specific segments of their cyber risk reduction efforts. About 99% of organizations plan to offload segments of cyber risk reduction workstreams or projects to security service providers within the next two years. Driving this trend is the recognition that unknown risks pose a serious concern, and outsourcing can provide the necessary expertise and resources to manage these risks effectively while enabling organizational resources to focus on implementing a broader security strategy.
Ineffectiveness of traditional detection and response: Traditional security measures, such as firewalls and antivirus software, focus primarily on preventing known threats. While these tools are essential, they are often insufficient in dealing with sophisticated and evolving cyber threats. Of the cybersecurity professionals surveyed for this report, 86% told us that unknown organizational cyber risk is currently a top concern—up 22% from our 2023 survey.
“Navigating the balance between budget constraints and the escalating costs of cyber incidents is challenging. However, cybersecurity is not just a cost center,” said Chris Morales, Chief Information Security Officer at Netenrich. “It is a critical component of overall business resilience and trust. In addition, security burnout, an escalating issue in the cybersecurity community, has reached a crucial point, especially for security analysts and managers handling their organization’s security operations. This burnout is primarily due to the increasing volume of security events and is further exacerbated by a skills shortage and the complexity of managing these newer threats.”
Morales continued, “Embracing technology that amplifies IT and security teams’ capabilities enables them to stay ahead of threats despite budgetary constraints. The solution is not simply acquiring more tools or hiring more talent but a strategic shift towards a data-driven approach. This approach empowers IT and security professionals, unlocking greater value from existing investments while enhancing the work environment for security and operations teams.”
Source: Criticalstart