1、 2 The 2024 State of Security Posture Survey Report Organizations Plans for Vulnerability/Exposure Remediation in the Next 12 Months.8 Main Drivers in the Planned Increase in Remediation Efforts.9 Percentage of Security/IT Teams Involved with Remediations of Exposures/Vulnerabilities.10 Gap Between

2、the Number of Vulnerabilities/Exposures in the Environment and the Ability to Remediate Them.11 Number of Remediated Exposures in an Average Week.12 Value of Better Communicating the Security Posture Status to Companys Leadership and the Board.13 Companies Vulnerability/Exposure Management Program.1

3、4 Companies Processes for Addressing Exposures Across On-Prem and Hybrid Cloud Environments.15 Companies Processes for Addressing Identity and Credential Related Exposures.16 Biggest Opportunity for Improving Security Posture.17 Frequency of Inability to Remediate Exposures Due to Purchased Systems,

4、Legacy Applications,Etc.18 3 The 2024 State of Security Posture Survey Report 4 The 2024 State of Security Posture Survey Report In recent years there has been a persistent surge in the frequency,volume,and impact of cyberattacks.Despite concerted efforts to detect and thwart these threats,attackers

5、 continuously innovate,finding novel ways to bypass detective controls.They exploit a diverse range of threats,which include Common Vulnerabilities and Exposures(CVEs)but also the misconfigurations,identity issues and active directory issues,i.e.,exposures,which go far beyond CVEs,and are so often e

6、xploited in attacks.Scrutiny of this issue from regulatory bodies,including the Securities and Exchange Commission(SEC),has intensified.Organizations now face additional obligations and requirements for prompt notifications when security incidents occur.This has placed considerable pressure on organ

7、izations to refine their incident response processes,emphasizing the need for transparency and the sharing of best practices.For these reasons,addressing exposures and maturing their security posture has become increasingly crucial for security teams.Organizations must remediate exposures that attac

8、kers could use to move laterally in the early stages of their multi-step attacks to prevent their access to critical systems.This survey explores the current state of the market concerning the effort to fortify security posture.We aim to assess how well exposures are being remediated,the level of ef

9、fort invested in this undertaking,and the motivations behind such efforts.Through this research,we endeavor to provide a comprehensive view of the cybersecurity landscape,offering valuable insights for organizations striving to navigate the evolving threat landscape effectively.Methodology To gain i

10、nsights into cybersecurity practices,we conducted a survey involving 300 full-time employees,including influential decision-makers such as CISOs,Directors,VP/Heads of Security,and other senior cyber professionals responsible for purchasing decisions.These participants were strategically sourced from

11、 210 organizations in the US and 90 in the UK,all with 2,500 employees or more.The survey,spanning the second half of 2023,was conducted in collaboration with Global Surveyz,an independent survey company.5 The 2024 State of Security Posture Survey Report 1 2 3 Our survey found that 87%of organizatio

12、ns acknowledge the pressing need to increase their commitment to vulnerability and exposure remediation in the next 12 months.Despite challenges such as overwhelmed security teams,a shortage of skilled personnel,and the struggle to fill critical positions,this finding reveals organizations resolute

13、commitment to allocating more resources and effort toward exposure management.Organizations clearly understand that proactive measures are essential in preventing cyberattacks.As the number of vulnerabilities in their environments continues to rise,organizations face an uphill battle in addressing t

14、hem comprehensively.The sheer volume of vulnerabilities makes them practically impossible to address,resulting in a widening remediation gap.Notably,this finding only measures CVEs,which represent just one type of exposure.Combined with other exposure typessuch as misconfigurations of systems and ap

15、plications and insufficiently managed identitiesorganizations are grappling with a multifaceted,growing threat landscape.Exposure remediation efforts have a significant impact on operations.62%of IT and security teams are involved in remediating an average of 12 exposures per week.Yet this resource

16、allocation is still notably inadequate in the face of the thousands of CVEs created annually,not to mention other types of exposures.The stark contrast between the volume of exposures and the limited capacity to remediate underscores the formidable challenge organizations face in closing the remedia

17、tion gap.As the problem continues to grow,there is an urgent need to explore innovative strategies that enable organizations to better prioritize the exposures that have the biggest impact on blocking attacker tactics.6 The 2024 State of Security Posture Survey Report 4 5 6 A substantial 45%of compa

18、nies recognize the cloud environment as the primary area for enhancing their security posture,emphasizing the evolving nature of cybersecurity concerns.This shift underscores the need for organizations to address a broader spectrum of challenges,extending beyond the conventional focus on CVEs.As the

19、 significance of cloud environments continues to grow,organizations must adapt and prioritize strategies to fortify their security posture in this critical space.Despite heightened cybersecurity efforts and a widening remediation gap,organizations face a significant challenge in effectively communic

20、ating their cybersecurity progress to leadership.We found that 68%of companies report that better communicating their security posture status to leadership and the board is very valuable.This suggests a pronounced discrepancy between the work done by taxed and overwhelmed security resources and thei

21、r ability to convey this progress to leadership.This finding underscores the urgency for organizations to establish more effective communication strategies,ensuring that the efforts of their security teams are appropriately acknowledged.Because of outdated legacy systems,90%of respondents face chall

22、enges in addressing exposures.In grappling with the intricacies introduced by legacy systems,organizations confront three choices:accepting the risk,rewriting the application,or gaining a deep understanding of attack paths to remediate exposures and prevent potential harm to critical assets.7 The 20

23、24 State of Security Posture Survey Report 8 The 2024 State of Security Posture Survey Report 87%of surveyed organizations expressed their intent to increase their commitment to vulnerability and exposure remediation in the next 12 months.This may be related to a variety of factors,including the fac

24、t that exposure management is becoming a strategic topic instead of being merely a checkbox item,or that Detection and Response tools continue to fail,forcing reliance on security posture.Despite challenges such as overwhelmed security teams and a shortage of skilled personnel,organizations are prio

25、ritizing efforts to address cybersecurity issues.This commitment underscores the gravity of the cybersecurity problem and the determination to allocate resources for its resolution.Only a minimal 5%of companies plan to decrease their level of effort in vulnerability and exposure remediation,emphasiz

26、ing a broad consensus on the importance of cybersecurity initiatives.Figure 1:Organizations Plans for Vulnerability/Exposure Remediation in the Next 12 Months A lot more37%Somewhat more50%Same as before8%Somewhat less5%More efforts87%9 The 2024 State of Security Posture Survey Report 27%of organizat

27、ions attribute their plans to increase remediation efforts to a heightened priority given to security by company leadership.This shift is indicative of a broader trend in which security has ascended to a higher echelon of company priorities.The integration of security discussions at the board of dir

28、ectors level underscores a collective concern,particularly in public companies,about the significant impact that cyberattacks can have on business operations.Other factors,such as the expanding attack surface(15%),compliance or audit-related considerations(15%),an increased pace of vulnerabilities d

29、iscovered(13%),and increased concern about attacks going undetected(13%)also drive an increase in remediation efforts.Figure 2:Main Drivers in the Planned Increase in Remediation Efforts 27%15%15%13%13%9%8%Security has become a higher companypriority from leadershipExpanded attack surface requiringm

30、anagementCompliance or audit-related reasonIncreased pace of vulnerabilitiesdiscoveredIncreased concern about attacks goingundetectedAs a requirement of cyber insuranceAs a requirement of customer(s)and/orpartner(s)10 The 2024 State of Security Posture Survey Report The survey findings reveal that,o

31、n average,62%of security and IT teams actively engage in the remediation of exposures or vulnerabilities(Figure 3).This underscores the significance of this initiative,impacting a substantial portion of organizational personnel.While this high level of engagement signifies the importance placed on c

32、ybersecurity measures,it also highlights the associated costs and the potential for increased efficiency.There may be an opportunity for organizations to optimize their approach to remediations,ensuring a balance between effectiveness and resource utilization.Further,as company size increases,the pe

33、rcentage of security and IT teams involved in remediation efforts decreases.(Figure 4).This can be attributed to larger organizations having more extensive security teams with a higher degree of specialization,resulting in a smaller proportion actively participating in any particular activity.Yet ev

34、en for organizations with 10,000 or more employees,56%is still surprisingly substantial.Figure 3:Average of Security/IT Teams Involved with Remediations of Exposures/Vulnerabilities,by Company Size 62%69%61%56%AllRespondents2,500-4,999Employees5,000-9,999Employees10,000+Employees 11 The 2024 State o

35、f Security Posture Survey Report A striking 82%of surveyed companies reported an increase in the gap between the number of vulnerabilities/exposures in their environment and their ability to remediate them.This finding underscores the pervasive challenge organizations face in keeping pace with the g

36、rowing number of vulnerabilities,making it increasingly difficult to address each one comprehensively.Notably,Common Vulnerabilities and Exposures(CVEs)represent only a subset of exposures,in addition to issues such as misconfiguration and weak credentials,which are harder to count.The acknowledgmen

37、t of this widening gap by such a significant majority of respondents suggests the enormity of the issue.Its crucial to recognize that this figure might even underestimate the extent of the challenge,as those in the remaining 13%either might be unaware of the increasing gap or have successfully reduc

38、ed it through substantial efforts.Figure 4:Gap Between the Number of Vulnerabilities/Exposures in Environment and Ability to Remediate Them Increased significantly38%Increased slightly44%Unchanged5%Decreased slightly11%Decreased significantly2%Gap increased 82%12 The 2024 State of Security Posture S

39、urvey Report On average,companies reported addressing about 12 exposures per week.This figure is juxtaposed against the backdrop of an average of 10k-250k CVEs generated each year,not to mention other security issues.The data points to a stark reality organizations seem to be able to address only a

40、fraction of the vulnerabilities and exposures within their environments.With thousands of new issues emerging annually,the current pace of remediation efforts exacerbates the widening remediation gap.This underscores the critical need for organizations to explore innovative approaches to remediation

41、,ensuring a more effective and scalable response to the growing challenges posed by an ever-expanding threat landscape.Without addressing this issue head-on,the gap between vulnerabilities and remediation efforts is poised to persist and potentially widen further,necessitating a strategic reevaluati

42、on of remediation approaches within organizations.Figure 5:Number of Remediated Exposures in an Average Week 0%9%22%46%21%2%01-45-910-1516-2021 or moreWeighted average:11.8 exposures 13 The 2024 State of Security Posture Survey Report A substantial 68%of companies identify the ability to effectively

43、 communicate the current state of their security posture as highly valuable to company leadership and the board.This finding reveals that many organizations,despite dedicating significant resources to bolstering their security postures,find themselves struggling to convey this progress to leadership

44、 and the board.This communication gap not only hinders the acknowledgment of the hard work done by security teams but also has broader implications,potentially contributing to high turnover rates within the security sector and impacting budgets.If organizations cannot effectively communicate their c

45、urrent status and progress,it becomes challenging to make a compelling case for an incremental budget necessary to reach an acceptable level of risk mitigation.This highlights a need for improved communication strategies.Bridging this gap is crucial not only for required reporting,but also to recogn

46、ize and reward the hard work of security personnel,as well as for fostering a positive and supportive cybersecurity culture within organizations.Figure 6:Value of Better Communicating the Security Posture Status to Companys Leadership and the Board Very valuable68%Slightly valuable30%Not so valuable

47、2%Not valuable at all0%14 The 2024 State of Security Posture Survey Report Considering the substantial efforts being invested in remediation,and the associated high cost of human resources,we posed the question,“How are companies managing exposures?”We found that 61%of companies admit to operating r

48、eactively,addressing high-severity issues when they arise,while only 23%have formalized processes in place.This is remarkable given that basic vulnerability management has existed for 25 years.Interestingly,the data reveals a notable trend when examined by job seniority.More senior roles in the comp

49、any report having more formalized processes than Directors,who are closer to the frontline work.The data suggests a need to investigate whether security teams have the necessary tools to establish and sustain an ongoing formalized process.It also introduces the possibility that there may be a commun

50、ication gap between directors and their superiors,with those closer to the operational frontlines having a more nuanced understanding of the cybersecurity challenges faced by the organization.Figure 7:Companies Description of their Vulnerability/Exposure Management Program Reactive61%Have formalized

51、 processes in place for regularly assessing,prioritizing,and remediating vulnerabilities/exposures23%Have some processes in place,but they are not formalized16%ReactiveHave formalized processes in place for regularly assessing,prioritizing,andremediating vulnerabilities/exposuresHave some processes

52、in place,but they are not formalizedAll respondents79%12%9%Director61%26%13%VP/Head57%24%18%C-Suite 15 The 2024 State of Security Posture Survey Report The responses reveal that,in about half of organizations(47%),separate processes and/or teams are responsible for addressing exposures across on-pre

53、m and hybrid cloud environments.In contrast,42%of organizations manage exposures holistically,considering both on-prem and hybrid cloud environments as part of an integrated strategy.This means that the majority(58%)opt for ad-hoc or siloed approaches,relying on separate teams and processes for each

54、 environment.This puts organizations at a significant disadvantage in effectively combating the dynamic tactics of cyber adversaries,who often operate seamlessly across environments.This suggests a need for organizations to assess their strategies for exposure management and consider whether a more

55、integrated,holistic approach could enhance efficiency and effectiveness.The data highlights the ongoing challenge of aligning skill sets and tools across diverse environments,emphasizing the importance of strategic cohesion in managing exposures for both on-prem and hybrid cloud infrastructures.Figu

56、re 8:Companies Processes for Addressing Exposures Across On-Prem and Hybrid Cloud Environments A single program that centrally manages all exposures42%Separate processes and/or teams responsible for exposures in different environments47%Address exposures in an ad-hoc manner11%16 The 2024 State of Se

57、curity Posture Survey Report About half of companies(51%)use a single program to centrally manage CVEs,misconfigurations,and identity-related exposures.The other portion(49%)uses ad-hoc or siloed processes.The data also reveals that the use of single programs is more prevalent in smaller organizatio

58、ns,with larger companies(10,000+employees)facing challenges in implementing such centralized programs.This may indicate that larger companies are potentially more sophisticated and integrated than medium-sized organizations,while the smallest entities might not be fully engaged in comprehensive expo

59、sure management practices.The findings emphasize the need for scalable and integrated solutions,especially for larger enterprises,to effectively address identity and credential-related exposures and ensure a comprehensive security posture.Figure 9:Companies Processes for Addressing Identity and Cred

60、ential Related Exposures A single program that centrally manages CVEs,misconfigurations and identity-related exposures51%Separate process for addressing identity-related exposures34%Address identity-related exposures in an ad-hoc manner15%A single program that centrally manages CVEs,misconfiguration

61、s andidentity-related exposuresSeparate process for addressing identity-related exposuresAddress identity-related exposures in an ad-hoc mannerAll respondents63%30%7%2,500-4,999 employees43%40%17%5,000-9,999 employees53%26%21%10,000+employees 17 The 2024 State of Security Posture Survey Report A sub

62、stantial 45%of companies identify their cloud environment as the most significant opportunity for improving their security posture.This perception reflects a concentrated focus on enhancing security measures within the cloud infrastructure.In contrast,23%of respondents believe that all environments

63、are equally important for security improvements,highlighting a more balanced perspective.Notably,a staggering 99%of companies acknowledge the potential for improving security posture in one or more environments.This sentiment underscores a widespread recognition of the evolving threat landscape.Figu

64、re 10:Biggest Opportunity for Improving Security Posture 45%23%19%12%1%Cloud environmentAll are equally importantIdentities and credentialsOn-prem environmentNo significant room to improve securityposture 18 The 2024 State of Security Posture Survey Report A striking 90%of companies frequently find

65、themselves unable to remediate exposures due to factors like purchased systems and legacy applications.To mitigate the impact of exposures that cant be remediated directly,organizations may consider alternative strategies.Understanding the attackers potential actions and blocking them through altern

66、ative means becomes a crucial aspect of a proactive security approach.This can be accomplished through attack path modeling,which helps to visualize alternate remediation options when the most obvious ones are not viable.Figure 11:Frequency of Inability to Remediate Exposures Due to Purchased System

67、s,Legacy Application,etc.Very often56%Quite often34%Not often9%Never1%Unremediated exposures happen often90%19 The 2024 State of Security Posture Survey Report 20 The 2024 State of Security Posture Survey Report Figure 12:Industry Figure 13:Country Figure 14:Department Figure 15:Job Seniority Figure

68、 16:Role 31%22%13%8%8%64%3%3%1%1%0.3%BankingRetail&eCommerceEnergy&UtilitiesFinancial ServicesTravel&HospitalityTelecomHealth&PharmaMediaProfessionalServicesInsuranceTechnologyGovernmentUnited States70%United Kingdom30%Information Security61%IT39%C-suite62%VP/Head24%Director14%72%15%9%3%1%CISOInform

69、ationSecuritySecurity ArchitectHead of SecurityVulnerabilityManagement 21 The 2024 State of Security Posture Survey Report Figure 17:Company Size Figure 18:Role in Purchasing Cyber Security Products 34%45%20%2,500-4,999Employees5,000-9,999Employees10,000+EmployeesPurchasing decision maker42%Technica

70、l decision maker33%Influencer25%22 The 2024 State of Security Posture Survey Report Request a Demo XM Cyber is a leader in hybrid cloud exposure management thats changing the way organizations approach cyber risk.XM Cyber transforms exposure management by demonstrating how attackers leverage and com

71、bine misconfigurations,vulnerabilities,identity exposures,and more,across AWS,Azure,GCP and on-prem environments to compromise critical assets.With XM Cyber,you can see all the ways attackers might go,and all the best ways to stop them,pinpointing where to remediate exposures with a fraction of the effort.Founded by top executives from the Israeli cyber intelligence community,XM Cyber has offices in North America,Europe,Asia Pacific and Israel.