Only about a fifth of cybersecurity leaders today are confident about their organization’s cybersecurity approach, with only a half trusting the training they provide in-house, according to an EY study.
The study that surveyed 500 cybersecurity leaders worldwide found them to be struggling with their organization’s defenses even as the number of cyberthreats and associated costs increased.
“After all the time and money spent on cybersecurity, CISOs still feel very unprepared against cyberthreats,” Richard Watson, EY Global and Asia-Pacific cybersecurity consulting leader, said in a press release. “The levels of dissatisfaction are more worrying when seen in the context of increasing geopolitical instability, economic uncertainty, and the rapid adoption of emerging technologies that will push the number of incidents to even higher levels and see cyber adversaries continually evolve.”
The study also revealed slower detection and response times by organizations amid growing attack sophistication.
Costs escalate but response dwindles
The study observed a rise in the annual cybersecurity incidents as respondents reported an average of 44 incidents in 2022. This, in turn, inflates the spending in terms of security, response, and insurance costs.
CISO respondents reported an average annual spend of $35 million on cybersecurity, with the median cost of a breach jumping 12% to $2.5 million. The leaders said they anticipate the cost per breach to reach $4 million by the end of the year.
The response time, however, hasn’t improved quite as well despite funds going into cybersecurity tools. “Despite high levels of spending, detection and response times appear slow,” the study highlighted. “More than three-quarters of respondents (76%) say their organizations take an average of six months or longer to detect and respond to an incident.”
The biggest internal challenges to the organization’s cybersecurity approach were reported to be “too many potential attack surfaces” at 52%, and “difficulty balancing security and innovation speed” at 50%.
The study also noted big discrepancies between the CISOs and other C-suite leaders when it came to their organization’s cybersecurity preparedness. While 60% of CISOs were confident about the C-suite integration of cybersecurity into key business decisions, only over half of other C-suite officers believed they were effective. There was also a huge gap (12%) between their satisfaction with the overall cybersecurity preparedness.
Study noted an emphasis on security through simplification
For better understanding and evaluation, the study was able to categorize the responding organizations into “secure creators” and “prone enterprises.” The grouping was done on the basis of the number of solutions used, the adoption of emerging technologies, and the use of technologies to simplify their automation environments.
The study found that secure creators are more satisfied with their approach to cybersecurity, experience fewer cybersecurity incidents, and can detect and respond to incidents quicker. About 70% of them are early adopters of emerging technologies.
The secure creators are also more focused on extracting the most value from specific advanced solutions, with 62% already using or in the late stages of implementing AI/ML solutions, as compared to only 45% of the prone enterprises.
“When it comes to technology, the more clutter an organization has in its armory, the harder it is to pick up signals and get on top of issues quickly,” Watson said. “CISOs should focus not on bolting on new technologies but integrating existing ones better. Organizations are now inextricably and digitally linked to businesses in their supply chain.”
Additionally, 52% of secure creators have adopted security, orchestration, automation, and response (SOAR) solutions while only 38% of prone enterprises did so. Secure creators also reported (45%) improved adaptability of their existing solutions as threats change, as they believe they use their tools to their best capacities.
Organizations experience very different outcomes partly as a result of their cybersecurity strategy, EY noted in the study. In line with these findings, EY has recommended simplifying the cybersecurity technology stack, using automation, incremental and well-designed training, and effective inter-tier communication.