Research

Research Objectives

Based upon years of previous research, for most organizations, security operations are in a period of both disarray and transition. While organizations expand the development of digital transformation initiatives, cloud-native application development, and remote worker support, SOC teams continue to conduct day-to-day operations using assorted point tools, manual processes, and a shortage of staff and skills. CISOs realize this mismatch leads to an unacceptable reality of ever-increasing cyber-risk.

To address this growing security operations gap, organizations are taking numerous actions to modernize security operations, including automating processes, utilizing advanced analytics, integrating security technologies, and embracing the MITRE ATT&CK framework. In order to gain insights into these trends, ESG surveyed 376 IT and cybersecurity professionals at organizations in North America (US and Canada) personally responsible for evaluating, purchasing, and utilizing threat detection and response security products and services.

Abstract:

As organizations add more IT assets, their attack surfaces also grow, and so does the organization's need for better security hygiene and posture management. Security hygiene and posture management rely on a broad range of tools such as vulnerability management, asset management, attack surface management and security testing to monitor all IT assets in an organization.

Executive Summary:

Report Conclusions

In late 2021 and early 2022, ESG in partnership with the Information Systems Security Association (ISSA) conducted a survey of 280 cybersecurity professionals focused on security processes and technologies at organizations of all sizes in industries such as technology, government, financial services, and business services, among others, spanning countries in North/Central/South America, Europe, Asia, and Africa.

Based upon the research collected for this project, ESG and ISSA reached the following conclusions:

• Security professionals want more industry cooperation and technology standards.
• Organizations are actively consolidating security vendors and integrating technologies.
• and more...

Abstract:

Security hygiene and posture management is still one of the least mature areas of cybersecurity, and the external attack surface continues to be vulnerable and prone to exploitation at many organizations. While diligent efforts, such as improved asset management and security testing, can help, security hygiene and posture management remains a challenge. Organizations that are addressing their security hygiene and posture management proactively are currently making the most progress. This brief looks at the research data and reports on some of the things these organizations are doing to get ahead.

Abstract:

Disjointed tools and manual processes are creating an unacceptable level of cyber-risk for many organizations.

Abstract:

ESG conducted a comprehensive online survey of IT and cybersecurity professionals from private- and public-sector organizations in North America (United States and Canada) between August 3, 2021 and August 14, 2021. To qualify for this survey, respondents were required to be IT and cybersecurity professionals responsible for evaluating, purchasing, and utilizing products and services for security hygiene and posture management (i.e., vulnerability management, asset management, attack surface management, security testing tools, etc.).

This Complete Survey Results presentation focuses on security posture management strategies today, including how organizations are addressing challenges and improving programs, how security and IT operations teams cooperate on all security posture management activities, and priorities associated with security posture management in the coming 12-18 months.

Abstract:

Security posture management challenges are driven by the growing attack surface. Organizations have accelerated cloud computing initiatives and have been forced to support a growing population of remote users because of the pandemic. Firms are also deploying new types of devices as part of digital transformation initiatives, further exacerbating the growing attack surface, which leads to management challenges, vulnerabilities, and potential system compromises. Meanwhile, security teams are also concerned about recent cybersecurity issues including MS Exchange vulnerabilities, the SolarWinds hack, and the recent Log4j zero-day flaw. As a result, organizations are further assessing security posture management processes, examining vendor risk management requirements, and testing security more frequently.

Abstract:

The cybersecurity skills shortage continues with no end in sight, but collaborative research between ESG and ISSA suggests that organizations could and should be doing more to address it.

See the data behind these trends and more with this infographic.

Abstract:

In early 2021, the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) conducted the fifth annual research project focused on the lives and experiences of cybersecurity professionals. This year’s report is based on data from a global survey of 489 cybersecurity professionals.

The cybersecurity skills gap discussion has been going on for over 10 years, and the data gathered for this project confirms that there has been no significant progress toward a solution to this problem during the five years it has been closely researched. The skills crisis has impacted over half (57%) of organizations. The top ramifications of the skills shortage include an increasing workload (62%), unfilled open job requisitions (38%), and high burnout among staff (38%). Further, 95% of respondents state the cybersecurity skills shortage and its associated impacts have not improved over the past few years while 44% say it has only gotten worse.

To download a complimentary copy of this report, please visit https://www.esg-global.com/esg-issa-research-report-2021.

Abstract:

ESG conducted a comprehensive online survey of information security and IT professionals from private- and public-sector organizations in North America (United States and Canada), Europe, Asia, Central/South America, and Africa between March 1, 2021 and April 7, 2021. To qualify for this survey, respondents were required to be information security and IT professionals from ISSA’s member list.

This Master Survey Results presentation focuses on the lives and experiences of cybersecurity professionals, including performance assessments of their cybersecurity leaders, as well as suggestions for what organizations can do to help cybersecurity professionals succeed.