As we move into 2024, it is worthwhile to take a step back and reflect on the lessons learned from the past year. With the help of hundreds of IT and security professionals, we gained valuable insights into the challenges, discoveries, strategies, and priorities that businesses face when managing and securing assets and reducing their attack surface. In this blog, we share the highlights from these conversations.
Asset Inventory and Control Gaps: The Difference Between Belief and Reality
A key topic from our discussions with IT and security professionals is the discrepancy between the perceived state of an organization’s asset inventory and the actual state of an organization’s asset inventory. This disparity can have serious consequences, causing gaps in security coverage and putting the organization at risk.
For example, our research shows that in certain industries, up to 40% of devices are not protected with an endpoint detection and response tool because the agent is not installed on those devices. Additionally, 8-17% of assets have outdated agents or non-running agents.
Because of the discrepancy between perceived asset inventory and actual asset inventory, organizations are investing in security solutions that do not provide the full coverage they need. IT and security professionals we spoke to express a renewed focus on finding and fixing security gaps, as well as finding areas where investments might be redundant or unused.
“We thought we had scanned our entire network and understood our actual threat and risks, only to later find out that we were off by 10-20%. That was an accepted risk that we didn’t want to accept,” said David Christensen, VP and CISO at PlanSource.
Moving Beyond Prevention to Show the Strategic Value of Security
Another challenge for IT and security professionals is providing value beyond preventing breaches. With more and more devices, cloud services, applications, software, and user accounts to manage, IT and security professionals spend a lot of time managing the security of their IT environment.
IT and security teams want to quantify the value they provide, but this can be challenging when security is perceived as a cost center. Our research shows that businesses want to reduce costs without sacrificing value. One way to do this is by identifying and saving on wasted costs. For example, IT and security teams could configure EC2 instances to run only on weekdays. IT and security teams could also audit cloud services and retire those that are not used or used very infrequently.
Another way to demonstrate the value of security is to look at ROI metrics such as breach-based ROI, time-based ROI, and contribution to top-line revenue. By doing so, IT and security teams show that the value of their work goes beyond simply preventing breaches.
The Anti-Priority: SaaS Security
With the rapid growth of SaaS applications, SaaS management and security are becoming increasingly important initiatives for organizations. However, our research shows that despite 66% of organizations spending more on SaaS than they did a year ago, only 34% are currently worried about SaaS costs.
This discrepancy is likely caused by the many other urgent priorities that many organizations must focus on. As a result, SaaS security is often pushed to the bottom of the list and is addressed only by the most mature security teams.
Conclusion
In conclusion, our discussions with IT and security professionals provide valuable insights into the challenges and priorities facing businesses regarding managing and securing assets and reducing their attack surface. As we move into 2023, organizations need to implement a comprehensive approach to their cybersecurity strategy, looking beyond just prevention to the wider strategic value of their security programs.