1、Cisco Cybersecurity Report Series 2020 CISO Benchmark Study Securing Whats Now and Whats Next 20 Cybersecurity Considerations for 2020 Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 20 Cybersecurity Considerations for 2020 . . . . . .

2、 . . . . . . . . . . . . . . . .4 1. Who in your organization provides executive support and clear focus? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. How might you decide which metrics matter most? . . . . . . . . . . . . . . 5 3. What primary considerations

3、drive spending on a limited budget? . . . 6 4. Whats the right balance for spending on trust verification and threat detection?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5. What can measuring the business impact of security breaches tell you? . . . . . . . . . . . .

4、. . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6. Why is voluntary breach disclosure at an all-time high? . . . . . . . . . . 11 7. Can you quantify collaboration benefits between networking and security?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

5、8. What reasons do you observe other than cost reduction for outsourcing?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 9. Does preparation pay off for you? . . . . . . . . . . . . . . . . . . . . . . . . . . 13 10. How critical is patching in breach defense? . .

6、. . . . . . . . . . . . . . . . 13 11. What causes downtime? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 12. How challenging is it to protect the mobile workforce?. . . . . . . . . . 14 13. How might you extend zero trust to secure applications?. . . . . . . . 14 14. Is defend

7、ing the network infrastructure still challenging? . . . . . . . . 16 15. Can you measure the impact of vendor consolidation?. . . . . . . . . . 17 16. What are the causes of your cybersecurity fatigue and burnout? . . 18 17. What security benefits are associated with hosting infrastructure in the cl

8、oud?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 18. What challenges do you think the future holds? . . . . . . . . . . . . . . . 20 19. How much focus should you place on incident response? . . . . . . . 21 20. What can you do now to drive improvements in your security posture?

9、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Securing Whats Now and Whats Next . . . . . . . . . . . . . . . . . . . . . . .23 About the Cisco Cybersecurity Report Series . . . . . . . . . . . . . . . . . .24 Introduction Security leaders, while supporting business

10、growth and digital transformation, struggle with a multitude of challenges . We know this because you tell us, both in ongoing conversations and as part of our annual benchmark survey . Some challenges are focused on security, such as needing better visibility or automation, or striving for greater

11、simplicity of management and response . Some are related to the success of your business, such as wanting to support growth and transformation no matter which cloud application is needed, or which mobile device is being used . Other challenges relate to making investments now that will remain releva

12、nt into the future as your organization changes . And all of that is in addition to the everyday demands of the day job, such as detecting and blocking advanced threats . Its difficult to manage sophisticated threat actors and the ever-expanding attack surface at the same time . Your challenges go b

13、eyond just having to do more with a limited budget, and extend into maintaining brand reputation, board and stockholder confidence, and recruiting expertise to match cyberattack tactics, techniques and procedures (TTPs), to name a few . You have to provide users the access they need while meeting th

14、ese security, complexity, and budget challenges . You also need to lower technology overhead, avoid major breaches, hunt down threats before they infiltrate your network and exfiltrate your data, spend security budget smarter, and win over more customers. According to the World Economic Forum, cyber

15、attacks are perceived as the #2 global risk of concern to business leaders in advanced economies, second only to fiscal crises.1 By conducting our sixth annual survey of 2,800 IT decision makers from 13 countries, weve continued our annual tradition of going deep into your world to compile key bench

16、mark statistics .2 We also spoke at length to a panel of CISOs to analyze the findings and build a list of 20 considerations for 2020 . This report provides valuable takeaways and data you can share with other members of your C-suite, or your board of directors, to make concrete recommendations for

17、improving your organizations security posture . Because we know theres nothing certain except uncertainty in this industry, we styled this reports sections as questions you might be asking yourself as you prepare for the year ahead . If these questions resonate with you, or provoke additional areas

18、of inquiry, wed love to hear from you at security-reportscisco .external .com . Meanwhile, we hope the report will help you navigate this years security challenges . To see all of the reports in our Cybersecurity Report Series, go to: cisco .com/go/securityreports . 1 “This is what CEOs around the w

19、orld see as the biggest risks to business,” World Economic Forum, 2019 2 Countries surveyed are Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, the UK, and the U .S . Cisco Cybersecurity Report Series 2020CISO Benchmark Study 4 Cisco Cybersecurity Report Series

20、 2020: CISO Benchmark Study Securing Whats Now and Whats Next 20 Cybersecurity Considerations for 2020 1 . Who in your organization provides executive support and clear focus? Over the years in our survey, weve measured four critical practices for fostering a mutually beneficial relationship between

21、 executives and the security organization . This exercise evaluates top-down security buy-in, where weve found a slight downward trend from last year . Looking at these results: Eighty nine percent of respondents said that their executive leadership still considers security a high priority; however,

22、 this is down slightly (7%) across the preceding four years . The percentage of organizations who have clarified the security roles and responsibilities within the executive team has fluctuated over the past few years landing at 89% this year . Considering cybersecuritys growing visibility and the d

23、ire need for security leaders at top levels, clarifying roles and responsibilities needs to remain high . The incorporation of cyber risk assessments into overall risk assessment processes is down by 5% from last year, but is still high with 91% of respondents saying they use them . Although down by

24、 6% from last year, executive teams establishing clear metrics for assessing the effectiveness of security programs is still rather high with 90% of our respondents doing so . Over four years, these responses are slightly down, which may indicate: 1) that the scope of security responsibility is chan

25、ging, 2) that communication with the executive team isnt as clear as it used to be, 3) that executive management has other business priorities, or 4) that CISOs and executives are re-evaluating their metrics . And although these numbers are down, they are still very high . Perhaps this is because se

26、curity has now become operationalized, but requires a greater voice at the executive table . The fact that the numbers are still very high indicates a continuing strong relationship between executives and security professionals. Cisco Cybersecurity Report Series 2020CISO Benchmark Study 5 Cisco Cybe

27、rsecurity Report Series 2020: CISO Benchmark Study Securing Whats Now and Whats Next Every organization is different in terms of the executive makeup and there are many different styles of executive leadership. The role of a CISO is to have conversations and engage with the business by demonstrating

28、 that well-designed security will give value back to the business. Mick Jenkins MBE, CISO for Brunel University London 2 . How might you decide which metrics matter most? As we just noted, 90% agreed their organizations executives had established clear metrics for assessing the effectiveness of thei

29、r security program . Establishing clear metrics is an integral activity for a security framework, and it isnt an easy task to agree across multiple executives and security teams how to measure operational improvement and security outcomes . IT decision-makers responding to our survey rated time-to-d

30、etect highest as a key performance indicator (KPI). However, when youre reporting to the C-suite or board of directors, time-to-remediate ranks just as important, as it represents an aggregate of total impact that may include: system downtime, records affected, cost of investigation, lost revenue, l

31、ost customers, lost opportunities, and out-of-pocket costs (Figure 1) . It can also be a proxy metric for the overall effectiveness of the IT organization, as remediation can require a lot of collaborative work across departments . Figure 1: Metrics used to report an impactful breach internally to t

32、he C-suite or board of directors (N=2800) . Time to detect Time to patch Time to contain Time to remediate 0%10%20%30%40%50%60%70% 56.6% 57.2% 52.0% 52.4% Source: Cisco 2020 CISO Benchmark Survey Cisco Cybersecurity Report Series 2020CISO Benchmark Study 6 Cisco Cybersecurity Report Series 2020: CIS

33、O Benchmark Study Securing Whats Now and Whats Next 3 . What primary considerations drive spending on a limited budget? Predominantly, we heard that the best way to allocate security spend is through outcome-based objectives and metrics. Sixty one percent are using this planning method, a 10% increa

34、se from the previous year and an encouraging trend (Figure 2) . Figure 2: What organizations use to determine and/or control security spending (N=2799) . Percentages are rounded . Organization security outcome objectives or metrics Previous years budgets Cyber insurance Percent of revenue Outsourcin

35、g costs 0%20%40%60% 80% 61% 49% 45% 54% 53% Source: Cisco 2020 CISO Benchmark Survey Percent of revenue and outsourcing costs were the least used factors to determine security budgets . Fifty-four percent base spending on the previous years budget . Although this may not seem like a precise way to q

36、uantify security costs especially when the average cost of a data breach globally ($3 .92M) is rarely factored in if your budget is flat year over year or you have predictable SaaS subscriptions, your forecasted budget will probably see very little change .3 3 2019 Cost of a Breach Report, Ponemon I

37、nstitute Cisco Cybersecurity Report Series 2020CISO Benchmark Study 7 Cisco Cybersecurity Report Series 2020: CISO Benchmark Study Securing Whats Now and Whats Next When incidents are detected, you must quickly determine root cause (i.e., Respond and Recover) but just as importantly understand the l

38、ong-term fix that may be architectural in nature. You then need to address Identify, Protect, and Detect to prevent future incidents. Marisa Chancellor, Senior Director, Security it was the most destructive threat for both small and enterprise organizations in terms of downtime. The large amounts of

39、 resultant downtime may be due to the depth of investigation needed to assess the damage, attempt to restore backups, and fix the entry vectors . For more insights into how to deal with various types of attacks, subscribe to our Talos Threat Intelligence blog . 12 . How challenging is it to protect

40、the mobile workforce? We asked our survey respondents to tell us how difficult it is to protect various aspects of their infrastructure . More than half (52%) told us that mobile devices are now very or extremely challenging to defend. Theyve overtaken user behavior, which was the biggest challenge

41、from last years report . With a zero-trust framework, you can identify and verify every person and device trying to access your infrastructure . Zero trust is a pragmatic and future-proof framework that can help bring effective security across your architecture spanning the workforce, workload, and

42、workplace . A zero-trust framework achieves these three success metrics, among others: The user is known and authenticated The device is checked and found to be adequate The user is limited to where they can go within your environment Having zero trust in place removes much of the guesswork in prote

43、cting your infrastructure from all potential threats, including mobile devices . 13 . How might you extend zero trust to secure applications? Workload security is about securing all user and device connections across your network . A zero-trust framework can identify the dependencies within and arou

44、nd databases and applications to apply micro-segmentation and contain lateral movement . Forty-one percent of our surveyed organizations find data centers very or extremely difficult to defend, and 39% say they are really struggling to secure applications. The most troublesome aspect is data stored

45、in the public cloud, with 52% finding it very or extremely challenging to secure. A zero-trust framework provides you visibility into whats running and whats critical by identifying and enforcing policies throughout your network . It also alerts you in the case of a policy violation through continuo

46、us monitoring and response to indicators of compromise . Cisco Cybersecurity Report Series 2020CISO Benchmark Study 15 Cisco Cybersecurity Report Series 2020: CISO Benchmark Study Securing Whats Now and Whats Next Threat intelligence helps you understand the possible impacts to your business by unde

47、rstanding the real threats your business actually faces. Prioritizing these real risks based on factual intelligence allows business owners to apply their limited capital to the real problems they will face. Matt Watchinski, VP Engineering, Talos Cisco Cybersecurity Report Series 2020CISO Benchmark

48、Study 16 Cisco Cybersecurity Report Series 2020: CISO Benchmark Study Securing Whats Now and Whats Next 14 . Is defending the network infrastructure still challenging? Private cloud infrastructure is a top security challenge for organizations . (Fifty percent of organizations find it very or extreme

49、ly difficult to defend .) With regards to network infrastructure, 41% of organizations find this very or extremely challenging to defend . Here is where a zero-trust framework delivers value . It includes maintaining software-defined access control over all the connections within your apps and across a multi-cloud environment based on user, device, and application context, not location . This model allows you to mitigate, detect, and respond to risks across your infrastructure regardless of distribution or location . Shown below are defined fram