CyberEdge reports that the percentage of companies that experienced at least one successful cyberattack dropped again, following years of annual increases. Organizations reporting six or more significant attacks in the last year decreased for the first time in 12 years. These results have provided businesses with optimism for the management and security of their infrastructures in the future: the number of organizations concerned their employees may fall victim to a successful cyberattack also dropped for the first time in six years. But do these numbers correlate with organizations getting a better handle on cybersecurity risk? The report also cited a growing skills gap, fragmented security solutions, and expanding attack surfaces, which suggests otherwise.
Hybrid work, shadow IT, and the rapid transition to multiple cloud environments have significantly contributed to the expansion of the attack surface for many organizations. Rushed digital transformation has also furthered the proliferation of cyberattacks, during and after the pandemic. It appears that minor reductions in breach statistics and an overabundance of security tools may have given some organizations a false sense of safety.
Organizations Struggle To Manage Expanding Attack Surfaces
Various research shows a sizable attack resistance gap between what companies can protect and the assets they must defend. A recent HackerOne report found only 63% of organizations’ total attack surface was estimated to be resistant to attack, and 44% of cybersecurity professionals lacked confidence in their capacity to mitigate the dangers brought on by this visibility gap. Six main factors contribute to an organization's lack of confidence:
- Incomplete Knowledge: Attack surfaces constantly change due to the expanded supply chain, software, apps, and infrastructure. In fact, a third of large companies have trouble monitoring more than 25% of their attack surfaces.
- Testing Frequency is Not at Pace: Testing frequency is not keeping up with development cycles, which are moving more quickly than before. Delays in testing and upgrades let vulnerabilities slip through and become exploited.
- Scanners are limited: Vulnerabilities that follow known patterns are easy to find with automated scanning, but the real risk is the unknown threats that lead to critical application security issues. These critical vulnerabilities missed by scanners create a false sense of security.
- Automation is Still Falling Short: While many security tools promise a lot, automation has yet to live up to its promise of securing the enterprise. Automation can be fast at finding and defending known threats, but automation misses critical zero-day vulnerabilities, and that gap gets larger as one considers the additional challenge of continuously increasing attack surface complexity. It’s important to recognize that while automation offers advantages to security teams, it also offers similar advantages to cybercriminals. Bad actors already weaponize AI to exploit vulnerabilities quickly and at scale.
A Shortage of Skilled Personnel Is The Greatest Concern
A shortage of skilled personnel is the most significant impediment for security teams. Industry giants announcing personnel cutbacks of thousands or more have been widely reported in the media. As the cybersecurity skills gap widens, stress on internal teams has been exacerbated by a 26% increase since last year. CyberEdge notes seven in eight organizations (87%) are experiencing a shortfall of security talent, with IT security administrators in greatest demand.
While many businesses are laying off employees in departments like marketing, sales, product management, and human resources, the majority are keeping their security specialists on staff. However, there remains a lack of skilled personnel to keep up with the different threats and security specialties organizations require; 80% of firms are concerned that they do not have the skills to keep up with container and cloud-native development trends. In addition, most security teams are outnumbered by developers, making it difficult to keep up with the pace of change.
As the global cybersecurity workforce deficit of 3.4 million people continues to rise,the cybersecurity industry looks to develop new strategies and measures to help scale security teams.
The Board and the Bottom Line Dictate Security Investment
Tech stack complexity and the security talent gap will likely lead companies to consolidate tools across security pillars, especially as the economy contracts. Companies will evaluate security budgets and make investment decisions based on the higher ROI that comes from a platform solution with well-integrated tools that share intelligence, to improve their outcomes.
Human-powered security is necessary to combat the malicious creativity of cybercriminals, adept at circumventing cybersecurity defenses. The business impact of a breach is well documented, and the CyberEdge report reinforces the attention the board gives to avoiding one; nearly all (97%) surveyed organizations reported that their information security leaders engage board members directly. In other words, world-class cybersecurity is no longer ‘nice to have.’ It’s a ‘must-have’ for organizations to survive.
Security continues to grow in both the public and the private sector. CyberEdge reports the average information security expenditure increased by 5.3% for organizations in 2023. The success of IT leadership in educating senior executives and board members about cybersecurity issues may also be reflected in increased spending. Organizations are compelled to actively contribute to stronger collective resilience as a result of the announcement of the new cybersecurity plan and greater expenditures.
As the attack landscape becomes more robust, organizations must remain attentive in their search for, and recruitment of, the displaced workers from those companies that have made cuts, as the threat landscape becomes stronger and the shortage of experienced IT security employees continues to diminish. Your organization could even consider providing cybersecurity training and certification as a recruitment tool.
Notwithstanding the apparent optimism, cybersecurity experts must maintain their vigilance. We’re continually involved in a protracted, difficult process, but securing robust cyber defenses is the best course of action for our country, its infrastructure, the economy, and our shared futures.
I’d love to hear more about your challenges and plans to secure the coming year. Contact us to talk about how you manage your attack surfaces and what ethical hackers could do to your ability to scale your security efforts