We’ve talked to hundreds of IT and security professionals to find out what their 2022 was like. We heard about their challenges, discoveries, strategies, and priorities when it comes to managing and securing assets and reducing the attack surface.
At a recent (ISC)² webinar, 2022: A Year of Wrangling Assets and Reducing the Attack Surface, I covered the top five learning and trends from 2022 and the top five priorities for 2023 (and one anti-priority). Here we’ll look at some of the highlights.
When it comes to understanding the entire asset inventory and the relationship between controls and security solution coverage, there are gaps between belief and reality.
In some industries, we’ve seen:
8%–17% of assets have installed agents either outdated or not running
20% of devices aren’t being scanned
Up to 40% of devices that should be covered by an endpoint detection and response tool, but an agent is missing
In the conversations we’ve had recently with customers, there’s a renewed focus on understanding where unrealized or overlapping investment can be recovered. Aside from the obvious security implications of missing security solution coverage, we’ve heard from IT and security professionals that finding wasted spend could be the difference between losing and justifying headcount.
“We would believe we scanned our entire network and understood what our actual threat and risks were, only to find out later on that we were off by 10% to 20%. That was almost an accepted risk that we didn’t want to accept.”
For IT and security pros, one of the biggest questions they have going into 2023 is, “How do I show our value is more than just preventing breaches?”
It’s difficult enough for IT and security teams to get a handle on all the devices, cloud services, applications, software, and user accounts in their IT environments. More complexity means less visibility, more security gaps, and more security incidents. Add to that the pressure of justifying value beyond avoiding breaches.
We often hear from our customers that they want to quantify the value that their teams produce. They don’t want to show that security is just a department of “no”. A few examples we’ve seen:
Reducing Costs, Not Value — Here you’ll see how IT and security teams can identify and save on wasted costs. Example: setting your EC2 instances to only run on weekdays.
Security Metrics: What’s the Value of Nothing Happening? — Looking at a few ROI metrics like breach-based ROI, time-based ROI, contribution to top-line revenue, and more.
With the high rate of SaaS applications across companies, what are the priorities for securing and managing SaaS?
That was the premise of “The Truth About SaaS Security and Why No One Cares … Yet”, a comprehensive study conducted by Savanta on behalf of Axonius.
Now that spending on SaaS apps surpassed spending on Infrastructure as a Service, the belief was that securing SaaS would match that trend. The result: Not so much … yet.
Although 66% of organizations are spending more on SaaS than a year ago, only 34% are currently worried about SaaS costs.
Why aren’t people worried about it? It’s pretty obvious — there’s a lot going on. The concept of SaaS security and managing SaaS is important, but when there’s so many other urgent priorities, it falls to the bottom of the list. SaaS management and security are initiatives that organizations will end up spending time and effort on, but only the most mature security teams have already started to address SaaS security.
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010