SAN JOSE, Calif. — Skybox Security released new findings, revealing traditional security approaches that rely on reactive, detect-and-respond measures and tedious manual processes can't keep pace with the volume, variety, and velocity of current threats. As a result, 27% of all executives and 40% of chief security officers (CSOs) say their organizations are not well=prepared for today's rapidly shifting threat landscape. 

On average, organizations experienced 15% more cybersecurity incidents in 2021 than in 2020. In addition, "material breaches"— defined as "those generating a large loss, compromising many records, or having a significant impact on business operations" — jumped 24.5%.  

The top four causes of the most significant breaches reported by the affected organizations were human error, misconfigurations, poor maintenance/lack of cyber hygiene, and unknown assets.

"What's notable about this list is that all of these conditions result from mistakes or manual processes inside organizations — which means they are all, in principle, avoidable," said Ran Abramson, threat intelligence analyst, Skybox Research Lab. "The clear implication is that, however pernicious external threats have become, cybersecurity teams still have the power to repel them. And that's the good news: With the right practices and tools, including automation to maximize efficiency and get the most out of limited staff, breaches can be prevented." 

The study surveyed executives and analyzed the cybersecurity investments, practices, and performance of 1,200 companies and public-sector organizations in 16 countries and a wide range of industries. The research findings uncover that conventional cybersecurity approaches are falling short, and organizations that shift to modern, risk-based strategies are more successful in preventing breaches.   

Though organizations, on average, saw a significant uptick in incidents and material breaches in the past two years, a distinct subset had few or no breaches at all. So, what sets these exceptional organizations apart? The researchers found that firms with fewer breaches were different from the rest of the pack in two fundamental respects.

  1. Organizations that prevented breaches ranked higher in cybersecurity progress as measured by the NIST framework. The framework, developed by the National Institute of Standards and Technology, provides guidelines that help companies evaluate and improve their cybersecurity maturity in activities, such as detecting and responding to incidents. 
  2. Beyond the NIST framework, organizations with no breaches took what the researchers call "a risk-based approach" to cybersecurity. Forty-eight percent of organizations with no breaches in 2021 had implemented risk-based cybersecurity management strategies. They also performed better in key cybersecurity metrics: 46% were top performers in time to respond to a breach, and 50% were top performers in time to respond. 

Looking more closely at the ingredients of a risk-based approach and the specific practices that distinguish risk-oriented organizations from their less proficient peers, the benchmark study found that risk-based leaders excelled in key areas beyond the NIST framework, including attack surface visibility and context, attack simulation, exposure analysis, risk scoring, vulnerability assessments, research (threat intelligence), and technology assessments and consolidation.

"Yoz must take a risk-based approach because you can't secure everything 100%,” said Gary McAlum, board director, National Cybersecurity Center. “There are a lot of questions to ask: What is the business of the business? What does the risk profile look like? What are the threats? What are the implications? And what is the governance process an organization goes through to make risk-based decisions?" 

The business impact of successful risk-based security management — versus the old status-quo, detect-and-respond approach — is measured in this research. By preventing or mitigating breaches, risk-based methods could have saved companies millions of dollars annually and prevent untold damage to reputation, customer trust, company morale, and market standing.  

"The cybersecurity industry is witnessing a paradigm shift in cyber risk,” said Gidi Cohen, CEO and founder of Skybox Security. “To prevent breaches, CISOs must make a strategic shift — from the traditional volume play of identifying vulnerabilities and merely adhering to cybersecurity frameworks  to taking a strategic risk-based view of reducing actual exposure. At the board level, leaders want to understand their risk profile rather than how many vulnerabilities were patched each month. CISOs need to validate and report on how they're taking measurable, proactive steps to reduce risk systematically and reduce the financial impact a breach could have on their company."