Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
Security industry experts have teamed up to undertake a new research project that seeks to produce an unprecedented cyber benchmarking analysis, ultimately answering the key question of “what should you focus on” when it comes to enterprise security, according to the program’s research director.
The study, which is led by research firm ThoughtLab Group and involves a number of top cyber firms, is the “largest known” benchmarking analysis for security to date and will analyze the security strategies of 1,200 companies worldwide, said Lou Celi, CEO of ThoughtLab Group and research director for the project.
The program seeks to bolster enterprise security strategies at a time of increasingly rampant vulnerabilities—fueled in part by trends such as work-from-home, digital purchasing, and IoT—that have helped bring security to the top of the corporate agenda.
In terms of work-from-home security challenges, a recent report from SASE vendor Cato Networks found that cybercriminals are now targeting devices such as wireless access points that end users commonly use to access corporate networks.
“We’re in a riskier world. And I think corporate leaders and government leaders recognize that. And the question is, what can be done about it?” Celi told VentureBeat. “And that’s really what this study is all about.”
It’s the third annual security benchmarking study from Philadelphia-based ThoughtLab Group, and it will provide an evidence-based analysis of companies that operate across industries and geographies, he said. The results are expected to be released in April 2022.
Even with the massive amount of available information on how companies can improve their security, “it’s very hard to get this kind of data that can be used for benchmarking and comparisons—and to understand the impacts of cybersecurity on performance,” Celi said.
Cyber companies that are sponsoring and helping to guide the project include KnowBe4, Claroty, Securonix, Elastic, Skybox Security, Axis Communications, Votiro, and Zenkey. Other sponsors include consulting firm Booz Allen Hamilton and software giant ServiceNow, and the program’s advisory board is made up of chief information security officers from different industries.
Yaniv Vardi, CEO of industrial cybersecurity firm Claroty, said in an email to VentureBeat that “it’s very important for public- and private-sector organizations to have benchmarks against which to adapt their cybersecurity investment plans, practices, and organizational approaches to mitigate risks.”
“The ability to compare current and future trends, impacts, and practices by industry, size, country location, and level of digital transformation gives CISOs and their teams valuable context for determining where they are on their cybersecurity journey and where they need to be,” Vardi said. “The ThoughtLab program provides actionable insights to help organizations protect themselves from rapidly evolving cyber threats.”
People, process and technology
Celi said the study recognizes that when it comes to investing in security, there are lots of choices.
“You can spend money on people, process, technology. There are hundreds of technologies that you can put into place. But your budgets are limited. You can’t do everything. So what should you focus on?” he said. “So this is a study to really help people understand best practice, backed up by evidence.”
In terms of people-related issues for security, the study will likely bring a greater focus this year on upskilling and how to create a culture that is attuned to good cyber practices, he said. It may involve more focus on training, testing, and insider threat programs, Celi said.
On the process side, topics that are likely to get a bigger emphasis in this year’s study include zero trust architecture, cloud risk, the merging of IT and operational technology (OT), and ensuring that security is a consideration in workflow automation, he said.
As for technologies, newer technologies that could be examined include breach and attack simulation, security data lakes, and security for low-code/no-code environments, Celi said.
Additionally, major threats that will factor more heavily in the report this year include ransomware and supply-chain attacks, while other key issues will be looked at as well, such as the changing role of the CISO, he said.
All in all, the insights produced by the project should help companies to invest more wisely when it comes to security, Celi said.
“As the role of digital has expanded in companies, and companies have become digital-first, the role of security has to follow suit,” he said. “You can’t make cyber an after-thought. It has to be right up front.”