Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development
Are Enterprises Overconfident About Cybersecurity Readiness?
Cisco Cybersecurity Readiness Index Shows Only 3% of Companies Are Cyber ResilientDigitization of infrastructure in a hyperconnected world presents complexity challenges, which expand the threat surface. Cisco's 2024 Cybersecurity Readiness Index reveals an alarming gap - while 80% of the companies surveyed were confident in dealing with the evolving threat landscape, only 3% attained the "Mature" level of readiness needed to be resilient against today's cybersecurity risks. Companies are taking action to address this as almost all - 97% - expect to increase their cybersecurity budgets in the next 12 to 24 months.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
Cisco's index was based on a double-blind survey of 8,136 private sector security and business leaders across 30 global markets conducted by an independent third party. The readiness of companies was assessed by analyzing 31 solutions and capabilities across five key pillars: identity intelligence, machine trustworthiness, network resilience, cloud reinforcement and AI fortification.
Respondents were asked which of these solutions and capabilities they had deployed and the stage of their deployment. Based on the weightages in the five pillars and their state of readiness, the companies received their final scores, which were then classified into four stages of increasing readiness: Beginner - less than 10, Formative - from 11 to 40, Progressive - from 41 to 69, and Mature - 70 and above.
Comparing statistics for global companies and their overall state of readiness, between the years 2022-2023 and 2023-2024, shows certain surprising changes. See Image 2.
The number of Mature companies dropped to 3% this year from 15% in the previous year. The number of Progressive companies dropped by 4% this year, but the number of Formative companies increased by 13%. In addition, more Beginners were included in the index this year.
Raymond Janse van Rensburg, vice president of specialists and solutions engineering for APJC at Cisco, said this should not be considered as a static comparison, as the benchmark was done with "a lot more capabilities" this year.
"Digitization continues to accelerate around us. We see that there is pressure on organizations to transform. But with that, the attack surface is changing, and there is a lot of technology advancement that is taking place as well," said van Rensburg. "We need to keep pace with change, with the transformation of the organizations, and also to keep pace with change for cybersecurity and the capabilities we bring in across the industry to provide the necessary protections."
"We live in a world that is more connected than before. There is complexity, which is being driven by digitization and a range of factors. It is also a complicated world, especially for the IT and security practices," said Peter Molloy, managing director of global security sales operations for Cisco APJC.
There is hybrid connectivity with users, devices and things [IoT] connecting from anywhere to hybrid applications - on-premises, private cloud or SaaS - that could be deployed anywhere across the world, Molloy said.
Considering that 73% of respondents said a cybersecurity incident is likely to disrupt their business in the next 12 to 24 months, the index deemed readiness as being critical.
"Organizations are trying to establish secure and resilient connectivity between the users, devices and things and the applications they are trying to access. But there is a significant amount of complexity and risk under the hood," Molloy said, alluding to the complex underlying infrastructure needed to establish that connectivity.
These challenges are a result of the changes made to infrastructure during the pandemic, which saw enterprise computing environments shift from centralized to decentralized architectures, as employees began to work from home and other locations. This caused the sprawl of devices, services, applications and users beyond the corporate firewall.
When asked about the level of confidence and where it comes from, Molloy told Information Security Media Group that the customers he spoke to said they have plans to counteract the issues that confront them. "Despite all that data, they had confidence that things were in control. When I spoke to CXO-level executives, they told me there were challenges they haven't seen yet, and I am surprised at that level of confidence," he said.
Key Findings
Overall, the study found that only 3% of companies are ready to tackle today's threats, and two-thirds of organizations fall into the Beginner or Formative stages of readiness. Other findings are:
- Rising costs of cyber incidents: The cost of being unprepared can be substantial, as 54% of respondents said they experienced a cybersecurity incident in the last 12 months, and 52% of those affected said it cost them at least $300,000.
- Point solution overload: The traditional approach of adopting multiple cybersecurity point solutions has not delivered effective results, as 80% of respondents admitted that having multiple point solutions slowed down their team's ability to detect, respond and recover from incidents. This raises significant concerns as 67% of organizations said they have deployed 10 or more point solutions in their security stacks, and 25% said they have 30 or more.
- Unsecure and unmanaged devices add complexity: 85% of companies said their employees access company platforms from unmanaged devices, and 43% of those spend one-fifth or 20% of their time logged onto company networks from unmanaged devices. Also, 29% reported that their employees hop between at least six networks over a week.
- The cyber talent gap persists: Progress is being further hampered by critical talent shortages - 87% of companies highlight it as an issue. In fact, 46% of companies said they had more than 10 roles related to cybersecurity unfilled in their organization at the time of the survey.
- Future cyber investments ramping up: Companies are aware of the challenge and are ramping up their defenses. Fifty-two percent said they plan to significantly upgrade their IT infrastructure in the next 12 to 24 months. This is a marked increase from the 33% who planned to do so last year. Most prominently, 66% of organizations said they plan to upgrade existing solutions, 57% plan to deploy new solutions and 55% plan to invest in AI-driven technologies. Eighty-six percent of respondents said their budgets will increase by 10% or more.
The Cisco report offers recommendations to help companies overcome the challenges of today's expanding threat landscape. A key one is to adopt a platform approach to security and make investments in platform-centric technologies.
In a hybrid environment, with users working from various locations, securing unmanaged devices and fortifying Wi-Fi networks outside the perimeter are of paramount importance.
AI technologies can provide a degree of automation to enhance security and boost operational resilience. Organizations also need to review their talent gaps and recruit skilled professionals to close those gaps. Finally, it is crucial to establish baselines and to continually monitor or update them to strengthen cybersecurity posture.