The risk of data breaches, patching issues and vendor complexity are among the many challenges that CISOs face every day, according to Cisco's CISO Benchmark Study 2020, released on Feb. 24.
"The CISO Benchmark is our annual look at security leaders and how they feel they are doing," said Ben Munroe, senior director, security product marketing at Cisco.
The sixth annual CISO Benchmark Study benefits from the input of 2,800 IT decision makers from 13 countries. While challenges exist, there are also multiple areas of positive change that the study identified as well.
The good news
On a positive note, the percentage of organizations that reported that they voluntarily disclosed a breach is at its highest level since Cisco began the survey. Post-breach voluntary disclosure means that organizations are proactively reporting breaches. Going a step further, 61% of organizations reported that their credibility rises when they voluntarily disclose a major breach, which also helps to boost brand reputation.
Another positive finding is that in organizations where networking and security teams work in a very collaborative manner, the financial impact of a breach can potentially be reduced. The report found that 59% of companies who were very/extremely collaborative between networking and security experienced a financial impact of their most impactful breach under $100K, which is the lowest category of breach cost in the report.
More organizations than ever before are now also using well defined metrics and clear security outcome objectives to help determine where best to spend on security. The positive impact of having that clarity leads to 11% less cyber fatigue, which itself is a growing concern overall due to a number of factors.
The bad news
One of the most basic and yet difficult things for any organization is keeping up with patching. Apparently more organizations in the last year had difficulty with that activity than the prior year, which is a major cause of concern.
In the 2019 CISCO Benchmark report, 30% of respondents admitted that their organization suffered a security incident due to a known unpatched vulnerability. That number spiked dramatically in the 2020 report to 46%. Adding further insult to injury, for those organizations that were breached due to an unpatched vulnerability, they also suffered more data loss than those that had breaches due to other root causes.
While malware and malicious spam are issues that have plagued IT for decades, they remain the top two cause of downtime. Mobile device security is another issue that CISOs face with 52% of respondents noting that mobile devices are now very or extremely challenging to defend.
Cybersecurity fatigue is another big issue that is impacting organizations today. Cisco defines cybersecurity fatigue as essentially giving up on proactively defending against malicious actors. Surprisingly 42% of respondents admitted that they are suffering from cybersecurity fatigues with the challenges of working in a multi-vendor environment being one of the primary issues.
According to the study, 86% of organizations are using between 1 and 20 security vendors, and 13% are using over 20 vendors. Managing all those vendors is seen as being very challenging by 28% of respondents which is up by 8% from the 2019 survey.
Munroe commented that there are often structural levels of complexity when looking to integrate data from different products. That complexity can solved in part by automation, but fundamentally he emphasized that there is a need to do things differently than they have been done in the past. That's where the new Cisco SecureX service comes into play.
SecureX is a platform for integrating multiple security technologies inside of a single view that enables ease of control, unified policy across assets on-premises and in the cloud, automation and remediation capabilities, among other features.
"We want to enable customers to do things and respond inside of this platform, so you don't have to go into ten different products, you can just see and act from within the SecureX platform," Munroe said.
The idea of automation and security orchestration is one that industry analysts sometimes group under the category of SOAR (Security, Orchestration, Automation and Response), though that's not entirely what SecureX provides.
Snehal Patel, Senior Director of Product Management at Cisco explained that SecureX does included the same elements as SOAR, though he noted that Cisco views SecureX as being more holistic, as it brings together automation, analytics, remediation, intelligence and the ability to interconnect.
"From a Cisco perspective, we see this as a way to harmonize consistent lifecycle management for customer products and security architecture," Patel said.
Rather than being yet another product that customers need to buy, SecureX is also somewhat differentiated as it is being offered to Cisco customers as part of existing and new engagements. SecureX is being announced at the RSA Conference in San Francisco and is set for generally availability at Cisco Live which runs from May 31 to June 4 in Las Vegas.