Should you measure the maturity and performance of your security program? How often? A survey suggests 60% of CISOs (chief information security officers) measure their security programs at least once a month and 89% measure the maturity and performance of their full security program at least once each quarter. Let’s take a closer look at how they are measuring and evaluating potential threats.
The report from Onyxia Cyber surveyed more than 200 CISOs across a wide range of industries in the United States and Canada. Aspects in the survey include evaluating what metrics CISOs are measuring and how they are assessing cyber risk across multiple areas, such as incident response, vulnerability patching, and phishing simulations, as well as the overall impact of various cyber risk-management strategies.
The results from the survey are very enlightening. We see 33% of CISOs are not working toward a same-day MTTD (mean time to detect), and do not have an SLA to start working on mitigating risk within 8 hours of a breach.
What about the time to respond? MTTR (mean time to respond) is an important KPI (key performance indicator) for all security teams, as the longer the dwell time of an attack, the more catastrophic its impact. The average MTTR CISOs report is 9 hours, with the IT industry being the fastest to respond to threats, in under 7.4 hours. The financial services industry, which many expect to be ahead of the curve in security, is actually at just over 9.3 hours.
Patching vulnerabilities is a real challenge for the security industry. The average SLA for patching or resolving critical severity vulnerabilities is in the range of 16.3 days. The average SLA for patching/resolving high-severity vulnerabilities is considerably longer, at 22.1 days. This timeframe leaves the door wide open for evil doers to abuse vulnerabilities to attack organizations. We can see in the data that critical severity vulnerabilities are given priority, and therefore 75% are resolved within 21 days, compared with 48% of those that are high severity.
Cybersecurity management platforms can help, as they provide security assessment and benchmarking, program performance, and streamlined board reporting.
I spoke about the value of AI (artificial intelligence) in cybersecurity on The Peggy Smedley Show last week, saying how it can help protect organizations, while eliminating the administrative load of the security staff. As an example, Microsoft Security Copilot is an AI assistant for security teams that builds on the latest in LLM (large language models). In just a few short months, the technology is already helping customers save up to 40% of their time on core security operations tasks.
While many recognize the advantage such technologies provide, what about small businesses? How can they still mitigate cybersecurity challenges on a tight budget? This is precisely what I talked about with Ally Armeson, executive director of programs, Cybercrime Support Network, on The Peggy Smedley Show this week. She walks through the biggest challenges that exist and how to mitigate them on a tight budget, all while pointing to how the emergence of generative AI can impact workers.
At the end of the day, cybersecurity is perhaps one of the hottest topics of the year, mainly because it impacts every business in every part of the globe. Perhaps even more importantly, if it’s not one of your key areas of focus within your organization, it clearly needs to be. As we have outlined time and time again, if we want to protect our companies, we must measure our progress and prepare for a better and more secure tomorrow.
Want to tweet about this article? Use hashtags #IoT #sustainability #AI #5G #cloud #edge #futureofwork #digitaltransformation #green #ecosystem #environmental #circularworld #cybersecurity