We’ve talked to hundreds of IT and security professionals to find out what their 2022 was like. We heard about their challenges, discoveries, strategies, and priorities when it comes to managing and securing assets and reducing the attack surface.
At a recent (ISC)² webinar, 2022: A Year of Wrangling Assets and Reducing the Attack Surface, I covered the top five learning and trends from 2022 and the top five priorities for 2023 (and one anti-priority). Here we’ll look at some of the highlights.
Asset Inventory and Controls Gaps: Belief vs. Reality
When it comes to understanding the entire asset inventory and the relationship between controls and security solution coverage, there are gaps between belief and reality.
In some industries, we’ve seen:
8%–17% of assets have installed agents either outdated or not running
20% of devices aren’t being scanned
Up to 40% of devices that should be covered by an endpoint detection and response tool, but an agent is missing
In the conversations we’ve had recently with customers, there’s a renewed focus on understanding where unrealized or overlapping investment can be recovered. Aside from the obvious security implications of missing security solution coverage, we’ve heard from IT and security professionals that finding wasted spend could be the difference between losing and justifying headcount.
“We would believe we scanned our entire network and understood what our actual threat and risks were, only to find out later on that we were off by 10% to 20%. That was almost an accepted risk that we didn’t want to accept.”
Prioritizing security resources for strategic value: Changing the perception of security as a cost center
For IT and security pros, one of the biggest questions they have going into 2023 is, “How do I show our value is more than just preventing breaches?”
It’s difficult enough for IT and security teams to get a handle on all the devices, cloud services, applications, software, and user accounts in their IT environments. More complexity means less visibility, more security gaps, and more security incidents. Add to that the pressure of justifying value beyond avoiding breaches.
We often hear from our customers that they want to quantify the value that their teams produce. They don’t want to show that security is just a department of “no”. A few examples we’ve seen:
Reducing Costs, Not Value — Here you’ll see how IT and security teams can identify and save on wasted costs. Example: setting your EC2 instances to only run on weekdays.
Security Metrics: What’s the Value of Nothing Happening? — Looking at a few ROI metrics like breach-based ROI, time-based ROI, contribution to top-line revenue, and more.
The anti-priority: SaaS
With the high rate of SaaS applications across companies, what are the priorities for securing and managing SaaS?
That was the premise of “The Truth About SaaS Security and Why No One Cares … Yet”, a comprehensive study conducted by Savanta on behalf of Axonius.
Now that spending on SaaS apps surpassed spending on Infrastructure as a Service, the belief was that securing SaaS would match that trend. The result: Not so much … yet.
Although 66% of organizations are spending more on SaaS than a year ago, only 34% are currently worried about SaaS costs.
Why aren’t people worried about it? It’s pretty obvious — there’s a lot going on. The concept of SaaS security and managing SaaS is important, but when there’s so many other urgent priorities, it falls to the bottom of the list. SaaS management and security are initiatives that organizations will end up spending time and effort on, but only the most mature security teams have already started to address SaaS security.