Cybersecurity measurement trends and predictions for 2022
We’ve experienced major changes in cybersecurity over the past 18 months. The pandemic, an increase in financially damaging ransomware breaches, and third-party compromises has security teams under more pressure than ever.For security measurement, this means an increase in assurance to oversight bodies, adapting measurement techniques to accommodate changes in working practices, and an increased need for accurate information to hold internal stakeholders accountable.Before we dive into my cybersecurity measurement trends and predictions, let’s look at the current state of play. Here’s what our 2022 Security Leaders Peer Report reveals about the impact of the pandemic on cybersecurity:The first stat is telling – in conversations with CISOs, the number one pain which keeps them up at night is suffering a breach through control failure. And it’s no surprise, as highly conscientious people, CISOs want to be diligent and prepared. If they’ve invested in a control, they don’t want to be liable for a breach due to that control failing. We’ve seen more events, incidents, and breaches. More unpatched vulnerabilities. More time spent remediating, rolling out tools, and reporting. Security teams are working harder than ever. In this article, I’ll look at the following themes in cybersecurity measurement:
- Ongoing security trends
- Ransomware
- Cyber insurance
- Oversight and stakeholders
Ongoing security trends
When I started the company in 2014, there were critical challenges driving the need for automated cybersecurity measurement. Those are still relevant today and will remain so in the future: More breaches. A few years ago, a major breach was frontpage news. Now it barely gets a mention. The number of breaches continues to rise, and the cost of a breach continues to rise. More scrutiny. As the frequency and impact of breaches has increased, so has the level of scrutiny on security teams. Externally, this includes regulators, auditors, customers, insurers, enquirers, and partners. Internally, this means risk and compliance, the board, internal audit. And it's not just the number of people demanding information, the breadth and depth of data required has grown. It's no longer enough to state an intent to do good security, it's often necessary to provide empirical evidence.More accountable stakeholders. Every individual, department, and function has an impact on cybersecurity posture. To reduce risk, security teams must now deliver increasingly high-quality metrics to a wider variety of stakeholders that need to be held accountable using language and formats they can understand. More tooling. To help deal with the evolving threat landscape, organisations continually invest in new tools. Our research found the average enterprise now has 76 security tools – an increase of 19% over the last two years. More data. This influx of tooling means data silos. Each tool requires expertise and management and adds to the complexity of understanding all assets and controls in the enterprise. Our research indicates that this problem is contributing to enterprise security teams spending (some would say wasting) half their time on manual reporting. Scarcity of security pros. The need for security professionals is growing faster than we can train them. The security skills shortage gap is a real problem, and while there are things we can do to overcome it, it will continue for the foreseeable future. These are fundamental challenges in cybersecurity, they have deteriorated over the last seven years, and I predict they will continue to deteriorate.Ransomware
Ransomware is the risk du jour in cybersecurity, and it will only grow in 2022. There has been a considerable increase in ransomware attacks in 2021, according to a Trend Micro report, with the banking industry seeing a 1,318% year-on-year increase in attacks. The Verizon 2021 DBIR also noted an increased frequency in ransomware attacks and expects that to continue. Often the negative impact of a cyber breach can be ambiguous and hard to quantify. But in the case of ransomware, money goes out the door and business operations are shut down. These are easily measurable and communicable, and I believe that’s why they’ve had such a dramatic effect on the industry. Ransomware is a board-level risk. Leaders outside of security are rightly concerned about the potential for major disruption and damage. Indeed, there are also physical consequences – we saw the impact of the Colonial Pipeline attack. We have seen cyberattacks on healthcare organisations lead to patient deaths. Events like this will unfortunately get worse before they get better. Cybersecurity measurement is critical in combating ransomware. As the old adage goes, if we can’t measure it, we can’t manage it. Attackers use well-understood techniques to gain entry, establish a foothold, move laterally and lock down a victim’s computer systems and services. These attacks can be thwarted by a fully deployed, effective set of security controls. But the only way to ensure defenses are always fully operational, is through continuous monitoring of assets and controls to provide constant assurance. Not only that, but ransomware also has a critical impact on…Cyber insurance
Cyber insurance used to be straightforward – you would answer a short questionnaire, get a decent premium for multi-million dollars of cover, and in the event of breach, the insurer would pay out. As brokers and underwriters competed for market share in this new and burgeoning market, customers were the winners.But now, thanks in part to the proliferation of ransomware-driven claims during the pandemic, cyber insurers have been forced to pay out on underpriced policies, pushing their portfolios towards being loss-making. The result is that the market has hardened, insurers have withdrawn and it’s much tougher for customers to get insurance at all, let alone good value on a policy.I predict that an inability to purchase cyber insurance will become another driver for improved cybersecurity measurement. As insurers increasingly choose only the best-looking customers to insure, organisations will need to improve the way they communicate their security posture.Looking beyond 2022, I expect a consistent form of measurement and reporting to emerge for insurance, where clients can compare like-for-like policies across insurers, and insurers can compare customers’ security risk, again on a like-for-like basis. This will involve standardisation of metrics and measurements, and a willingness to share more data to collaborate towards lower risk and therefore lower premiums. The future of the cyber market looks like car insurance’s telematics.Our research supports this. We asked 1,200 security leaders from large organisations across various industries the following question:This shows that organisations would be on board with this idea. We just need to get the insurers to sign off. It will bring its own challenges, but it seems like a clear win-win.Oversight and accountable stakeholders
We can put security stakeholders into two main categories – oversight and accountable.- Oversight. These are the stakeholders that our security teams need to demonstrate security posture to, with trustworthy and understandable security metrics and measurement. These include auditors, the board, regulators, customers, and insurers.
- Accountable. These are the stakeholders being held accountable by the security team, including IT, business lines, operational functions, and third-parties.