Cybersecurity Issues Are More Alike Than Different Across Industries
Threats and challenges persist for many organizations, CDW research finds.
We’re all in this together.
That’s one insight gleaned from new research conducted by CDW, which found that as much as organizations in different industries such as healthcare, education, government and retail differ in their missions and priorities, they also share some common challenges, solutions and objectives.
In a survey of IT and security professionals, CDW found several common themes that exist across industries. For example, when asked about their biggest challenges around creating and maintaining visibility in their cybersecurity landscape, respondents in every segment cited evolving threats and keeping up with rapid advances in IT.
“There is a really powerful message that comes out of the research, that there's a ton of commonality in terms of what organizations are facing, regardless of industry or size,” said Stephanie Hagopian, vice president of security for CDW. “There is a huge amount of value in understanding that you are not alone as an institution going through these challenges. And that the more you're talking to your peers in the industry and to companies like CDW that are repeatedly exposed to these issues, the more it can really help you prioritize and execute valuable initiatives that produce positive outcomes already proven elsewhere in the market.”
CDW conducted the survey of more than 950 technology and security professionals in numerous industries across the U.S. in March 2024, asking questions on a variety of cybersecurity topics, including zero trust, cyber resilience and staffing. The research is an effort to gain insight into the experiences of professionals in the field.
“The market is really flooded with opinions,” said Buck Bell, who leads CDW's Global Security Strategy Office. “But hearing this directly from the folks who are engaged day to day and who are on the hook for cyber prevention, it's extraordinarily important to understand what they're hearing and what they're dealing with every day.”
Making the Case for Cybersecurity Funding
Budgetary limitations are a common cybersecurity challenge for organizations. Of the professionals surveyed, 27 percent cited budgetary resources as one of the things missing from their organization’s approach to security. In making the case for funding, more than three-fourths (76 percent) of respondents said showing the cost of a data breach in lost sales and lost productivity was an effective method of justifying investments in cybersecurity.
Executives must understand that cybersecurity problems can affect every aspect of an organization’s operations — not just IT functions, Bell said. “The more holistic your view of the enterprise as a whole — not only the specific cyber risk itself but also the business impacts that are associated with it — typically, the more successful you're going to be in your cyber resilience aims,” he said. “From my perspective, cyber risk is business risk.”
To address this risk, Bell said, organizations need to qualitatively assess their cybersecurity efforts against a security framework such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, while also quantitively assessing the level of risk they face by modeling the potential financial impacts from immature controls or gaps in cyber protection for critical assets. By considering these factors and their tolerance for risks around their business operations, organizations can more effectively budget for cybersecurity.
27%
The percentage of respondents who cited budgetary resources as one of the things missing from their organization’s approach to security
76%
The percentage of respondents who said showing the cost of a data breach in lost sales and lost productivity was an effective method of justifying investment in cybersecurity
Increasing Cybersecurity Complexity Requires Improved Training
Poor user training represents a significant cybersecurity challenge for organizations across industries. CDW found that 31 percent said insufficient or ineffective employee training — the most frequently cited answer — was an issue for their organization’s approach to cybersecurity.
“Many respondents said they needed better enablement and training for their people,” Hagopian said. “Developing your workforce is really essential so that your team is better equipped to handle the dynamic threat landscape. As a byproduct of comprehensive people development that’s focused not only on technology operations but also on methodologies, processes and frameworks, it will make your people feel more valued within your organization.”
The research indicated that the vast majority (68 percent) of organizations operate between 10 and 49 security tools or platforms. “As the number of security solutions increases and IT security environments become more complex, it’s essential for team members to be well trained on these solutions,” Hagopian said, “but also to understand how all of these solutions interoperate with each other and what metrics will really drive their objectives in a meaningful way.”
Automated tools can help organizations handle the high number of minor tasks they face, but training is critical to help security and IT teams manage greater challenges. “The people who run the security operations center need to really understand how to filter through all of the data. They have to know what's real and what's not real,” she said. “You have to think like an analyst and understand how to do root-cause analysis and problem-solving, so that type of training is also essential.”
The survey also indicated that security training provides an additional benefit by helping organizations maintain the employment of professionals whose cybersecurity skills are in high demand. In fact, 77 percent of respondents said providing certification and education opportunities was an effective way to retain IT security staff. Additionally, 36 percent said their organization outsources security training.
“Most organizations don't have a lot of cyber talent, so the staff you have, you want to retain,” Hagopian said. “You retain your staff by ensuring that you're raising their value by giving them a broad set of skills and ensuring they're working on high-value tasks.”
Approximately how many security tools/platforms is your organization running?
The more holistic your view of the enterprise as a whole — not only the specific cyber risk itself but also the business impacts that are associated with it — typically, the more successful you're going to be in your cyber resilience aims. From my perspective, cyber risk is business risk.
—BUCK BELL, GLOBAL SECURITY STRATEGY OFFICE LEAD, CDW
High Confidence in Security Visibility
Visibility into an organization’s cybersecurity landscape is essential to establishing an effective security posture. Our research indicates that organizations have made significant progress toward achieving this capability. Eighty-eight percent of respondents said they are somewhat confident (50 percent) or very confident (38 percent) they have sufficient visibility into their cybersecurity.
Of those who responded that they are very confident, 61 percent said they considered identity and access management tools to be very effective at improving visibility into their security environment, the highest level of confidence of any solution mentioned in the survey. Bell said that while IAM solutions aren’t monitoring tools, it makes sense that respondents found them to be effective in establishing visibility.
“When you look at identity and access management, it enables you to control access using things such as traditional credentials and multifactor authentication. You can derive intelligence from the use of multifactor authentication and the policies that prompt users,” Bell said. “IAM also enables governance, where you're creating and assigning permission sets to end users.”
IAM tools can also integrate with other security solutions to enhance visibility even further, Bell said. For example, combining IAM with behavioral analytics and physical security systems can help IT teams spot anomalous behavior that may indicate a cybersecurity threat, such as a user who has not badged into an office building but who has logged in to a computer there. “Well-managed identities are key to security,” Bell said. “If you don't know who's trying to access what, you will ultimately fail at this.”
How confident are you that you have sufficient visibility into your cybersecurity landscape?
2%
VERY UNCONFIDENT
3%
SOMEWHAT UNCONFIDENT
7%
NEUTRAL
50%
SOMEWHAT CONFIDENT
38%
VERY CONFIDENT
Improved Readiness
The survey also revealed that many IT professionals consider their organizations ready for a security breach. When asked how prepared they feel their organization is to respond to a cybersecurity incident, 32 percent said they felt “very prepared,” while 49 percent said “somewhat prepared.” Only 10 percent said they felt unprepared.
Bell credited many of the improvements that organizations have made in their cybersecurity posture to making it a higher priority. Many organizations have added roles such as a CISO to bring additional expertise and focus to their security efforts and have established clear lines from security leaders to executive teams. In fact, 29 percent of respondents (more than for any other option) said the person with ultimate responsibility for cybersecurity in their organization reports to the CEO.
Bell also noted that cyber insurance is having a powerful impact on the security posture of many organizations. To this point, 61 percent of respondents said their organization’s cybersecurity insurance policy “heavily” or “significantly” influences its security strategy.
“Many cyber insurers have begun to develop partnerships with security vendors that they can bring in as experts to help their organizations really have a well-prepared incident response plan,” Bell said. “That benefits a cyber insurer as well as the company in question.”
The research also suggested a connection between visibility and preparedness. Of respondents who said they were “very confident” in their visibility, 52 percent said they felt “very prepared” for a cybersecurity breach.
How prepared do you feel your organization is to respond to a cybersecurity incident and minimize the resulting downtime?
How rapidly can your organization recover from a cyber incident?
CDW can help you bounce back quickly.
Integration: An Uphill Climb to Put It All Together
One common challenge organizations face is in integrating the numerous tools they bring into their security environment. Forty percent of the IT and security professionals surveyed said it was “very difficult” or “somewhat difficult” to integrate all of the security tools their organizations use.
The high number of tools in use also can create an information overload, as security teams are forced to deal with an increasing number of alerts from their tools. This can distract security staff and add to both their stress and fatigue. “That is a risk of additional tools,” Bell said. “You’re getting more visibility, but it may be difficult to manage.”
Automation is one way to address this issue, Bell suggested, combining data flows and allowing AI and other tools to screen out some of the alerts so security teams can focus on priority issues. Eliminating unnecessary or redundant tools may also simplify the security environments of organizations that find themselves dealing with integration issues, Hagopian added. “We talk a lot about rationalizing toolsets, and the way you rationalize is, you look at the overlapping functionality that you have in play,” she said. “Are there ways to deprecate overlapping functionality? If so, deprecate and consolidate, and then use that money you're saving to invest in the places where you have a gap.”
How difficult do you find it to integrate all of the security tools you’re currently using?
1%
I USE A SINGLE SOLUTION
8%
VERY DIFFICULT
32%
SOMEWHAT DIFFICULT
18%
NEUTRAL
28%
SOMEWHAT EASY
13%
VERY EASY
Staffing Issues and Stress Levels
The global shortage of skilled cybersecurity professionals has been widely discussed, and our research indicates that this remains an issue. One quarter of respondents said their security teams were either understaffed or severely understaffed, while 35 percent said they had most of their needs covered but would like to have more help.
This situation appears to be linked to the stress that IT professionals feel related to cybersecurity. Roughly 41 percent of respondents rated their overall stress level as somewhat or very stressful, and the issues that contribute most to stress were “a lack of staff” (45 percent) and “responding to cybersecurity threats” (44 percent).
41%
The percentage of respondents who rated their overall stress level as very or somewhat stressful
45%
The percentage of respondents who said the majority of their stress is caused by a lack of staff
“A lot of organizations are experiencing pain because the security workforce is not large enough,” Hagopian said. “Staffing issues tend to be pervasive, and automation is definitely an effective way to contend with those challenges.”
Keeping skilled security professionals on staff has also been a longtime challenge for organizations across industries. While training was the most popular option for retaining security professionals, survey respondents also suggested that compensation is a useful way to address these challenges, with 75 percent citing “competitive salaries” as an effective solution.
“This is a stressful industry, there's just no two ways about that,” Bell said. “Things like job rotation can help — putting people into roles to let them gain additional experience. Obviously, putting together some kind of training strategy for people can help them secure and develop their own careers. I think that's a huge value-add for companies looking to retain staff.”
Recovery Capabilities Are Critical in the High-Stakes Security World
While the vast majority of respondents said their organizations were at least somewhat prepared to respond to a breach, the threat of a cyberattack remains a major issue for most organizations. Slightly more than 43 percent of respondents said they had suffered breaches that cost their organizations between $1 million and $10 million in downtime. Another 8 percent said they had suffered a breach costing more than $10 million.
Cybersecurity experts agree that for most organizations, a breach is likely inevitable. “Organizations need to operate under the assumption that they'll be breached at one point or another,” Bell said. “In a sense, that's the entire basis of the zero-trust push that we've been seeing over the past couple of years, the idea that you may have already been compromised.
The push for zero trust — a cybersecurity approach that requires all users, inside and outside an organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted access to applications and data — appears to have accelerated. Over 41 percent of respondents say they are in the advanced stage of zero-trust implementation, while another 12 percent said they have achieved the optimal level of maturity.
Preventing a breach is a worthwhile pursuit, but organizations also should make efforts to plan for how they will respond to a cybersecurity incident. The better prepared organizations are, the simpler their recovery will be.
“Cyber recovery is a lot easier if you have network segmentation because that will isolate the incident and create a quicker time to recovery,” Hagopian said, adding that cyber hygiene is a relatively simple way to bolster resilience. “I tell people all the time that there's just basic preventive measures you can take, such as stronger credential management, basic email protection from spam or phishing attempts, and keeping systems patched and firmware updated. When you look at the major incidents making headlines over the past few years, most could have been prevented by following these fairly standard procedures.”
If you've experienced a data breach in the past five years, can you estimate how much the ensuing downtime cost your organization?
What are your next steps with zero trust?
CDW’s Rapid Zero Trust Maturity Assessment
can help you see the path.
The Option to Outsource
With the ongoing shortage of security professionals, many organizations look for help from third-party partners. Security training was the function most commonly outsourced by respondents (36 percent), while managed security services were second, at 27 percent.
Interestingly, 26 percent of those surveyed said their organizations were not outsourcing anything. These organizations may be missing an opportunity to focus more effectively on their core mission, Bell said.
“Honestly, organizations should ask themselves, what is their core function? You’ve got toy companies doing security. Why are you doing that?” he said. “You can find partners to outsource some of these elements out there. Nobody builds their own HVAC system and then sends somebody up to the top to do recharges of the coolant. Take a look at what you can outsource within the security model to keep your people fresh and doing relevant work for your business.”
Similarly, 48 percent of respondents said Software as a Service is the purchasing method their organization uses most often to procure new IT tools and services
Which of the following areas are you outsourcing when it comes to your IT security? Please select all that apply, or if you don’t outsource anything, select “We’re not outsourcing anything.”
*Security operations center or SIEM solution
The Right Tools to Enhance Security
IT and security professionals seem to have a high level of confidence in many of the cybersecurity tools their organizations have deployed. Network security (89 percent), data security (87 percent) and encryption (85 percent) ranked as the solutions in which respondents said they somewhat or strongly agree that the tools are helpful.
Such confidence is important, as organizations face new attacks and tactics continuously. “We're seeing novel attacks such as those from Volt Typhoon actors right now against critical infrastructure targets,” Bell said, citing a Chinese state-sponsored hacker group. “Those not only represent a whole new challenge generally, but what we're finding is that these attacks are incredibly difficult to detect. To that end, defense is obviously important — that prevention aspect — but I would also say that detection and containment are equally important and should be a primary consideration.”
IT leaders at many organizations are unsure of which security tools to deploy against the vast number and variety of attacks they face. Bell suggests they seek guidance from organizations such as NIST and the Cybersecurity and Infrastructure Security Agency. “There are some interesting public resources that are available to everyone,” he said. “For instance, I'd advise anyone with an interest in response and recovery to become familiar with NIST’s ransomware risk management framework.”
How strongly do you agree the following tools & services are helpful for your organization and its cybersecurity initiatives? If you don’t use the tool or service, please select “don’t use.”
NETWORK SECURITY
34%
SOMEWHAT AGREE
55%
STRONGLY AGREE
DATA SECURITY
32%
SOMEWHAT AGREE
55%
STRONGLY AGREE
ENCRYPTION
32%
SOMEWHAT AGREE
53%
STRONGLY AGREE
What's next? Learn how better security
can improve your ability to innovate.
Cybersecurity Issues Are More Alike Than Different Across Industries
Threats and challenges persist for many organizations, CDW research finds.
We’re all in this together.
That’s one insight gleaned from new research conducted by CDW, which found that as much as organizations in different industries such as healthcare, education, government and retail differ in their missions and priorities, they also share some common challenges, solutions and objectives.
In a survey of IT and security professionals, CDW found several common themes that exist across industries. For example, when asked about their biggest challenges around creating and maintaining visibility in their cybersecurity landscape, respondents in every segment cited evolving threats and keeping up with rapid advances in IT.
“There is a really powerful message that comes out of the research, that there's a ton of commonality in terms of what organizations are facing, regardless of industry or size,” said Stephanie Hagopian, vice president of security for CDW. “There is a huge amount of value in understanding that you are not alone as an institution going through these challenges. And that the more you're talking to your peers in the industry and to companies like CDW that are repeatedly exposed to these issues, the more it can really help you prioritize and execute valuable initiatives that produce positive outcomes already proven elsewhere in the market.”
CDW conducted the survey of more than 950 technology and security professionals in numerous industries across the U.S. in March 2024, asking questions on a variety of cybersecurity topics, including zero trust, cyber resilience and staffing. The research is an effort to gain insight into the experiences of professionals in the field.
“The market is really flooded with opinions,” said Buck Bell, who leads CDW's Global Security Strategy Office. “But hearing this directly from the folks who are engaged day to day and who are on the hook for cyber prevention, it's extraordinarily important to understand what they're hearing and what they're dealing with every day.”
Making the Case for Cybersecurity Funding
Budgetary limitations are a common cybersecurity challenge for organizations. Of the professionals surveyed, 27 percent cited budgetary resources as one of the things missing from their organization’s approach to security. In making the case for funding, more than three-fourths (76 percent) of respondents said showing the cost of a data breach in lost sales and lost productivity was an effective method of justifying investments in cybersecurity.
27%
The percentage of respondents who cited budgetary resources as one of the things missing from their organization’s approach to security
76%
The percentage of respondents who said showing the cost of a data breach in lost sales and lost productivity was an effective method of justifying investment in cybersecurity
Executives must understand that cybersecurity problems can affect every aspect of an organization’s operations — not just IT functions, Bell said. “The more holistic your view of the enterprise as a whole — not only the specific cyber risk itself but also the business impacts that are associated with it — typically, the more successful you're going to be in your cyber resilience aims,” he said. “From my perspective, cyber risk is business risk.”
To address this risk, Bell said, organizations need to qualitatively assess their cybersecurity efforts against a security framework such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, while also quantitively assessing the level of risk they face by modeling the potential financial impacts from immature controls or gaps in cyber protection for critical assets. By considering these factors and their tolerance for risks around their business operations, organizations can more effectively budget for cybersecurity.
Increasing Cybersecurity Complexity Requires Improved Training
Poor user training represents a significant cybersecurity challenge for organizations across industries. CDW found that 31 percent said insufficient or ineffective employee training — the most frequently cited answer — was an issue for their organization’s approach to cybersecurity.
“Many respondents said they needed better enablement and training for their people,” Hagopian said. “Developing your workforce is really essential so that your team is better equipped to handle the dynamic threat landscape. As a byproduct of comprehensive people development that’s focused not only on technology operations but also on methodologies, processes and frameworks, it will make your people feel more valued within your organization.”
Approximately how many security tools/platforms is your organization running?
Over one-third (37%) of respondents have 10 - 19 tools, followed closed behind those with 20 - 49 tools (32%). Just 15% of all respondents have 50 tools or more.
The research indicated that the vast majority (68 percent) of organizations operate between 10 and 49 security tools or platforms. “As the number of security solutions increases and IT security environments become more complex, it’s essential for team members to be well trained on these solutions,” Hagopian said, “but also to understand how all of these solutions interoperate with each other and what metrics will really drive their objectives in a meaningful way.”
Automated tools can help organizations handle the high number of minor tasks they face, but training is critical to help security and IT teams manage greater challenges. “The people who run the security operations center need to really understand how to filter through all of the data. They have to know what's real and what's not real,” she said. “You have to think like an analyst and understand how to do root-cause analysis and problem-solving, so that type of training is also essential.”
The survey also indicated that security training provides an additional benefit by helping organizations maintain the employment of professionals whose cybersecurity skills are in high demand. In fact, 77 percent of respondents said providing certification and education opportunities was an effective way to retain IT security staff. Additionally, 36 percent said their organization outsources security training.
“Most organizations don't have a lot of cyber talent, so the staff you have, you want to retain,” Hagopian said. “You retain your staff by ensuring that you're raising their value by giving them a broad set of skills and ensuring they're working on high-value tasks.”
High Confidence in Security Visibility
Visibility into an organization’s cybersecurity landscape is essential to establishing an effective security posture. Our research indicates that organizations have made significant progress toward achieving this capability. Eighty-eight percent of respondents said they are somewhat confident (50 percent) or very confident (38 percent) they have sufficient visibility into their cybersecurity.
How confident are you that you have sufficient visibility into your cybersecurity landscape?
Of those who responded that they are very confident, 61 percent said they considered identity and access management tools to be very effective at improving visibility into their security environment, the highest level of confidence of any solution mentioned in the survey. Bell said that while IAM solutions aren’t monitoring tools, it makes sense that respondents found them to be effective in establishing visibility.
“When you look at identity and access management, it enables you to control access using things such as traditional credentials and multifactor authentication. You can derive intelligence from the use of multifactor authentication and the policies that prompt users,” Bell said. “IAM also enables governance, where you're creating and assigning permission sets to end users.”
IAM tools can also integrate with other security solutions to enhance visibility even further, Bell said. For example, combining IAM with behavioral analytics and physical security systems can help IT teams spot anomalous behavior that may indicate a cybersecurity threat, such as a user who has not badged into an office building but who has logged in to a computer there. “Well-managed identities are key to security,” Bell said. “If you don't know who's trying to access what, you will ultimately fail at this.”
Improved Readiness
The survey also revealed that many IT professionals consider their organizations ready for a security breach. When asked how prepared they feel their organization is to respond to a cybersecurity incident, 32 percent said they felt “very prepared,” while 49 percent said “somewhat prepared.” Only 10 percent said they felt unprepared.
Bell credited many of the improvements that organizations have made in their cybersecurity posture to making it a higher priority. Many organizations have added roles such as a CISO to bring additional expertise and focus to their security efforts and have established clear lines from security leaders to executive teams. In fact, 29 percent of respondents (more than for any other option) said the person with ultimate responsibility for cybersecurity in their organization reports to the CEO.
How prepared do you feel your organization is to respond to a cybersecurity incident and minimize the resulting downtime?
Bell also noted that cyber insurance is having a powerful impact on the security posture of many organizations. To this point, 61 percent of respondents said their organization’s cybersecurity insurance policy “heavily” or “significantly” influences its security strategy.
“Many cyber insurers have begun to develop partnerships with security vendors that they can bring in as experts to help their organizations really have a well-prepared incident response plan,” Bell said. “That benefits a cyber insurer as well as the company in question.”
The research also suggested a connection between visibility and preparedness. Of respondents who said they were “very confident” in their visibility, 52 percent said they felt “very prepared” for a cybersecurity breach.
How rapidly can your organization recover from a cyber incident?
CDW can help you bounce back quickly.
Integration: An Uphill Climb to Put It All Together
One common challenge organizations face is in integrating the numerous tools they bring into their security environment. Forty percent of the IT and security professionals surveyed said it was “very difficult” or “somewhat difficult” to integrate all of the security tools their organizations use.
The high number of tools in use also can create an information overload, as security teams are forced to deal with an increasing number of alerts from their tools. This can distract security staff and add to both their stress and fatigue. “That is a risk of additional tools,” Bell said. “You’re getting more visibility, but it may be difficult to manage.”
How difficult do you find it to integrate all of the security tools you’re currently using?
Automation is one way to address this issue, Bell suggested, combining data flows and allowing AI and other tools to screen out some of the alerts so security teams can focus on priority issues. Eliminating unnecessary or redundant tools may also simplify the security environments of organizations that find themselves dealing with integration issues, Hagopian added. “We talk a lot about rationalizing toolsets, and the way you rationalize is, you look at the overlapping functionality that you have in play,” she said. “Are there ways to deprecate overlapping functionality? If so, deprecate and consolidate, and then use that money you're saving to invest in the places where you have a gap.”
Staffing Issues and Stress Levels
The global shortage of skilled cybersecurity professionals has been widely discussed, and our research indicates that this remains an issue. One quarter of respondents said their security teams were either understaffed or severely understaffed, while 35 percent said they had most of their needs covered but would like to have more help.
This situation appears to be linked to the stress that IT professionals feel related to cybersecurity. Roughly 41 percent of respondents rated their overall stress level as somewhat or very stressful, and the issues that contribute most to stress were “a lack of staff” (45 percent) and “responding to cybersecurity threats” (44 percent).
41%
The percentage of respondents who rated their overall stress level as very or somewhat stressful
45%
The percentage of respondents who said the majority of their stress is caused by a lack of staff
“A lot of organizations are experiencing pain because the security workforce is not large enough,” Hagopian said. “Staffing issues tend to be pervasive, and automation is definitely an effective way to contend with those challenges.”
Keeping skilled security professionals on staff has also been a longtime challenge for organizations across industries. While training was the most popular option for retaining security professionals, survey respondents also suggested that compensation is a useful way to address these challenges, with 75 percent citing “competitive salaries” as an effective solution.
“This is a stressful industry, there's just no two ways about that,” Bell said. “Things like job rotation can help — putting people into roles to let them gain additional experience. Obviously, putting together some kind of training strategy for people can help them secure and develop their own careers. I think that's a huge value-add for companies looking to retain staff.”
Recovery Capabilities Are Critical in the High-Stakes Security World
While the vast majority of respondents said their organizations were at least somewhat prepared to respond to a breach, the threat of a cyberattack remains a major issue for most organizations. Slightly more than 43 percent of respondents said they had suffered breaches that cost their organizations between $1 million and $10 million in downtime. Another 8 percent said they had suffered a breach costing more than $10 million.
If you’ve experienced a data breach in the past five years, can you estimate how much the ensuing downtime cost your organization?
Cybersecurity experts agree that for most organizations, a breach is likely inevitable. “Organizations need to operate under the assumption that they'll be breached at one point or another,” Bell said. “In a sense, that's the entire basis of the zero-trust push that we've been seeing over the past couple of years, the idea that you may have already been compromised.
The push for zero trust — a cybersecurity approach that requires all users, inside and outside an organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted access to applications and data — appears to have accelerated. Over 41 percent of respondents say they are in the advanced stage of zero-trust implementation, while another 12 percent said they have achieved the optimal level of maturity.
Preventing a breach is a worthwhile pursuit, but organizations also should make efforts to plan for how they will respond to a cybersecurity incident. The better prepared organizations are, the simpler their recovery will be.
“Cyber recovery is a lot easier if you have network segmentation because that will isolate the incident and create a quicker time to recovery,” Hagopian said, adding that cyber hygiene is a relatively simple way to bolster resilience. “I tell people all the time that there's just basic preventive measures you can take, such as stronger credential management, basic email protection from spam or phishing attempts, and keeping systems patched and firmware updated. When you look at the major incidents making headlines over the past few years, most could have been prevented by following these fairly standard procedures.”
The Option to Outsource
With the ongoing shortage of security professionals, many organizations look for help from third-party partners. Security training was the function most commonly outsourced by respondents (36 percent), while managed security services were second, at 27 percent.
36.1%
SECURITY TRAINING
26.34%
WE’RE NOT OUTSOURCING ANYTHING
26.97%
MANAGED SECURITY SERVICES*
*Security operations center or SIEM solution
Interestingly, 26 percent of those surveyed said their organizations were not outsourcing anything. These organizations may be missing an opportunity to focus more effectively on their core mission, Bell said.
“Honestly, organizations should ask themselves, what is their core function? You’ve got toy companies doing security. Why are you doing that?” he said. “You can find partners to outsource some of these elements out there. Nobody builds their own HVAC system and then sends somebody up to the top to do recharges of the coolant. Take a look at what you can outsource within the security model to keep your people fresh and doing relevant work for your business.”
Similarly, 48 percent of respondents said Software as a Service is the purchasing method their organization uses most often to procure new IT tools and services
What are your next steps with zero trust?
CDW’s Rapid Zero Trust Maturity Assessment
can help you see the path.
The Right Tools to Enhance Security
IT and security professionals seem to have a high level of confidence in many of the cybersecurity tools their organizations have deployed. Network security (89 percent), data security (87 percent) and encryption (85 percent) ranked as the solutions in which respondents said they somewhat or strongly agree that the tools are helpful.
NETWORK
SECURITY
34%
SOMEWHAT AGREE
55%
STRONGLY AGREE
DATA
SECURITY
32%
SOMEWHAT AGREE
55%
STRONGLY AGREE
ENCRYPTION
32%
SOMEWHAT AGREE
53%
STRONGLY AGREE
Such confidence is important, as organizations face new attacks and tactics continuously. “We're seeing novel attacks such as those from Volt Typhoon actors right now against critical infrastructure targets,” Bell said, citing a Chinese state-sponsored hacker group. “Those not only represent a whole new challenge generally, but what we're finding is that these attacks are incredibly difficult to detect. To that end, defense is obviously important — that prevention aspect — but I would also say that detection and containment are equally important and should be a primary consideration.”
IT leaders at many organizations are unsure of which security tools to deploy against the vast number and variety of attacks they face. Bell suggests they seek guidance from organizations such as NIST and the Cybersecurity and Infrastructure Security Agency. “There are some interesting public resources that are available to everyone,” he said. “For instance, I'd advise anyone with an interest in response and recovery to become familiar with NIST’s ransomware risk management framework.”
What's next? Learn how better security
can improve your ability to innovate.