An overwhelming majority of security leaders believe their organization is falling short in addressing cybersecurity risks, according to the 2022 Security Priorities Study by Foundry (formerly IDG Communications).
Critical failures include convincing various parts of the organization about the severity of the security risks the organization faced (27%), lack of investment in cybersecurity (26%), failure to acquire and retain cybersecurity expertise (25%), not being proactive enough (25%), inadequate user training (24%), and failure to address security during application development (24%).
The study polled 872 respondents in IT and/or corporate or physical decisions to gain a better understanding of the security projects organizations are focused on currently and in the following year.
Most security leaders understand their organizations’ security situation
Despite the abysmal performance of their organizations, most IT and security decision-makers understood their security situation.
For example, 87% of the respondents said they knew what caused a cybersecurity incident last year.
According to the respondents, the leading cause of breaches was a non-malicious error (34%). Subsequently, they plan to increase the security awareness training of end-users.
Other causes of breaches were third-party security vulnerabilities (28%), unpatched software vulnerabilities (27%), misconfigured services (26%), unexpected business risks exposing a vulnerability (17%), and software supply chain hacks (17%), among others.
Most organizations are on the right track in addressing cybersecurity risks
Most security leaders have set security-related priorities that have put their organizations on the right track in addressing various cybersecurity risks.
More than eight of ten (82%) security leaders regularly report and engage with the board of directors on security-related issues. This approach seems to be working, with 54% of security executives saying their engagement with the board of directors contributed positively towards fulfilling their security priorities.
Apart from engaging the management, security teams were also preparing for the eventuality of a cyber attack. According to the 2022 Security Priorities Study, almost half (49%) of the respondents prioritized responding to a cybersecurity incident in the next year.
Addressing staff shortages is among the top security priorities for organizations
The 2022 Security Priorities study found that organizations adopted various strategies to address cybersecurity staff shortages.
Results show 45% of security leaders request their security teams to take more responsibilities and utilize automated technologies that prioritize security, while 42% plan to outsource security functions.
Other solutions to address skills shortage include increasing compensation packages and benefits (36%), educating HR on the desired cybersecurity skills (33%), recruiting from other parts of the organization (27%), and offloading security functions to other parts of the business (16%).
Organizations increased budgets to address cybersecurity risks
Organizations also increased their investment in cybersecurity to $65 million in 2022, up from $11 million in 2021 and $5.5 million in 2020.
Key areas to benefit from the increased budget include cloud-based security services (36%), cloud infrastructure management services (35%), application development security (35%), access controls (34%), and cloud data protection (33%).
Organizations are searching for solutions to accelerate their security priorities
The Foundry study found that organizations were researching security tools and solutions as part of their cyber security strategy to address various cybersecurity risks.
Security Orchestration, Automation, and Response (SOAR) tools emerged as the top security solution researched by 34% of organizations. Zero trust technologies were the second-most (32%) searched tools, followed by Secure Access Service Edge (SASE) (32%).
However, conventional security solutions were still prevalent across organizations. These solutions are either in the piloting, production, and upgrading/refining stages. For example, most organizations used endpoint protection for laptops, desktops, and servers (78%) to defend against various cybersecurity risks. Other prevalent conventional solutions include multifactor/strong or role-based authentication (75%), security education or awareness training (74%), patch management (74%), and incident response (72%).
Security leaders must overcome challenges to achieve their security priorities
Security executives contend with challenges that gobble their time and redirect their efforts from their security priorities. These include meeting governance and compliance regulations (28%), employee awareness and training issues (27%), and unanticipated business risks (25%).
Additionally, external cybersecurity risks (23%), budgetary constraints (23%), protecting customer privacy and confidentiality (20%), and IT audit (20%), among others, consumed security executives’ time.
The study analyzed SMBs with 1,000 or fewer employees and large corporations with more workers across North America, EMEA, and APAC regions. However, SMBs fared worse than larger corporations, with half lacking a CISO, CSO, or top security executive. Consequently, only 85% of SMBs understood what caused the last security breach, compared to 91% of larger enterprises.
The findings suggest that smaller enterprises with smaller budgets ($16m vs. $122m) would continue to bear the brunt of cyber attacks.