Budgetary limitations are a common cybersecurity challenge for organizations. Of the professionals surveyed, 27 percent cited budgetary resources as one of the things missing from their organization’s approach to security. In making the case for funding, more than three-fourths (76 percent) of respondents said showing the cost of a data breach in lost sales and lost productivity was an effective method of justifying investments in cybersecurity.

Executives must understand that cybersecurity problems can affect every aspect of an organization’s operations — not just IT functions, Bell said. “The more holistic your view of the enterprise as a whole — not only the specific cyber risk itself but also the business impacts that are associated with it — typically, the more successful you're going to be in your cyber resilience aims,” he said. “From my perspective, cyber risk is business risk.”

To address this risk, Bell said, organizations need to qualitatively assess their cybersecurity efforts against a security framework such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, while also quantitively assessing the level of risk they face by modeling the potential financial impacts from immature controls or gaps in cyber protection for critical assets. By considering these factors and their tolerance for risks around their business operations, organizations can more effectively budget for cybersecurity.

Poor user training represents a significant cybersecurity challenge for organizations across industries. CDW found that 31 percent said insufficient or ineffective employee training — the most frequently cited answer — was an issue for their organization’s approach to cybersecurity.

“Many respondents said they needed better enablement and training for their people,” Hagopian said. “Developing your workforce is really essential so that your team is better equipped to handle the dynamic threat landscape. As a byproduct of comprehensive people development that’s focused not only on technology operations but also on methodologies, processes and frameworks, it will make your people feel more valued within your organization.”

The research indicated that the vast majority (68 percent) of organizations operate between 10 and 49 security tools or platforms. “As the number of security solutions increases and IT security environments become more complex, it’s essential for team members to be well trained on these solutions,” Hagopian said, “but also to understand how all of these solutions interoperate with each other and what metrics will really drive their objectives in a meaningful way.”

Automated tools can help organizations handle the high number of minor tasks they face, but training is critical to help security and IT teams manage greater challenges. “The people who run the security operations center need to really understand how to filter through all of the data. They have to know what's real and what's not real,” she said. “You have to think like an analyst and understand how to do root-cause analysis and problem-solving, so that type of training is also essential.”

The survey also indicated that security training provides an additional benefit by helping organizations maintain the employment of professionals whose cybersecurity skills are in high demand. In fact, 77 percent of respondents said providing certification and education opportunities was an effective way to retain IT security staff. Additionally, 36 percent said their organization outsources security training.

“Most organizations don't have a lot of cyber talent, so the staff you have, you want to retain,” Hagopian said. “You retain your staff by ensuring that you're raising their value by giving them a broad set of skills and ensuring they're working on high-value tasks.”

Visibility into an organization’s cybersecurity landscape is essential to establishing an effective security posture. Our research indicates that organizations have made significant progress toward achieving this capability. Eighty-eight percent of respondents said they are somewhat confident (50 percent) or very confident (38 percent) they have sufficient visibility into their cybersecurity.

Of those who responded that they are very confident, 61 percent said they considered identity and access management tools to be very effective at improving visibility into their security environment, the highest level of confidence of any solution mentioned in the survey. Bell said that while IAM solutions aren’t monitoring tools, it makes sense that respondents found them to be effective in establishing visibility.

“When you look at identity and access management, it enables you to control access using things such as traditional credentials and multifactor authentication. You can derive intelligence from the use of multifactor authentication and the policies that prompt users,” Bell said. “IAM also enables governance, where you're creating and assigning permission sets to end users.”

IAM tools can also integrate with other security solutions to enhance visibility even further, Bell said. For example, combining IAM with behavioral analytics and physical security systems can help IT teams spot anomalous behavior that may indicate a cybersecurity threat, such as a user who has not badged into an office building but who has logged in to a computer there. “Well-managed identities are key to security,” Bell said. “If you don't know who's trying to access what, you will ultimately fail at this.”

The survey also revealed that many IT professionals consider their organizations ready for a security breach. When asked how prepared they feel their organization is to respond to a cybersecurity incident, 32 percent said they felt “very prepared,” while 49 percent said “somewhat prepared.” Only 10 percent said they felt unprepared.

Bell credited many of the improvements that organizations have made in their cybersecurity posture to making it a higher priority. Many organizations have added roles such as a CISO to bring additional expertise and focus to their security efforts and have established clear lines from security leaders to executive teams. In fact, 29 percent of respondents (more than for any other option) said the person with ultimate responsibility for cybersecurity in their organization reports to the CEO.

Bell also noted that cyber insurance is having a powerful impact on the security posture of many organizations. To this point, 61 percent of respondents said their organization’s cybersecurity insurance policy “heavily” or “significantly” influences its security strategy.

“Many cyber insurers have begun to develop partnerships with security vendors that they can bring in as experts to help their organizations really have a well-prepared incident response plan,” Bell said. “That benefits a cyber insurer as well as the company in question.”

The research also suggested a connection between visibility and preparedness. Of respondents who said they were “very confident” in their visibility, 52 percent said they felt “very prepared” for a cybersecurity breach.

How rapidly can your organization recover from a cyber incident?
CDW can help you bounce back quickly.

One common challenge organizations face is in integrating the numerous tools they bring into their security environment. Forty percent of the IT and security professionals surveyed said it was “very difficult” or “somewhat difficult” to integrate all of the security tools their organizations use.

The high number of tools in use also can create an information overload, as security teams are forced to deal with an increasing number of alerts from their tools. This can distract security staff and add to both their stress and fatigue. “That is a risk of additional tools,” Bell said. “You’re getting more visibility, but it may be difficult to manage.”

Automation is one way to address this issue, Bell suggested, combining data flows and allowing AI and other tools to screen out some of the alerts so security teams can focus on priority issues. Eliminating unnecessary or redundant tools may also simplify the security environments of organizations that find themselves dealing with integration issues, Hagopian added. “We talk a lot about rationalizing toolsets, and the way you rationalize is, you look at the overlapping functionality that you have in play,” she said. “Are there ways to deprecate overlapping functionality? If so, deprecate and consolidate, and then use that money you're saving to invest in the places where you have a gap.”

The global shortage of skilled cybersecurity professionals has been widely discussed, and our research indicates that this remains an issue. One quarter of respondents said their security teams were either understaffed or severely understaffed, while 35 percent said they had most of their needs covered but would like to have more help.

This situation appears to be linked to the stress that IT professionals feel related to cybersecurity. Roughly 41 percent of respondents rated their overall stress level as somewhat or very stressful, and the issues that contribute most to stress were “a lack of staff” (45 percent) and “responding to cybersecurity threats” (44 percent).

“A lot of organizations are experiencing pain because the security workforce is not large enough,” Hagopian said. “Staffing issues tend to be pervasive, and automation is definitely an effective way to contend with those challenges.”

Keeping skilled security professionals on staff has also been a longtime challenge for organizations across industries. While training was the most popular option for retaining security professionals, survey respondents also suggested that compensation is a useful way to address these challenges, with 75 percent citing “competitive salaries” as an effective solution.

“This is a stressful industry, there's just no two ways about that,” Bell said. “Things like job rotation can help — putting people into roles to let them gain additional experience. Obviously, putting together some kind of training strategy for people can help them secure and develop their own careers. I think that's a huge value-add for companies looking to retain staff.”

While the vast majority of respondents said their organizations were at least somewhat prepared to respond to a breach, the threat of a cyberattack remains a major issue for most organizations. Slightly more than 43 percent of respondents said they had suffered breaches that cost their organizations between $1 million and $10 million in downtime. Another 8 percent said they had suffered a breach costing more than $10 million.

Cybersecurity experts agree that for most organizations, a breach is likely inevitable. “Organizations need to operate under the assumption that they'll be breached at one point or another,” Bell said. “In a sense, that's the entire basis of the zero-trust push that we've been seeing over the past couple of years, the idea that you may have already been compromised.

The push for zero trust — a cybersecurity approach that requires all users, inside and outside an organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted access to applications and data — appears to have accelerated. Over 41 percent of respondents say they are in the advanced stage of zero-trust implementation, while another 12 percent said they have achieved the optimal level of maturity.

Preventing a breach is a worthwhile pursuit, but organizations also should make efforts to plan for how they will respond to a cybersecurity incident. The better prepared organizations are, the simpler their recovery will be.

“Cyber recovery is a lot easier if you have network segmentation because that will isolate the incident and create a quicker time to recovery,” Hagopian said, adding that cyber hygiene is a relatively simple way to bolster resilience. “I tell people all the time that there's just basic preventive measures you can take, such as stronger credential management, basic email protection from spam or phishing attempts, and keeping systems patched and firmware updated. When you look at the major incidents making headlines over the past few years, most could have been prevented by following these fairly standard procedures.”

With the ongoing shortage of security professionals, many organizations look for help from third-party partners. Security training was the function most commonly outsourced by respondents (36 percent), while managed security services were second, at 27 percent.

Interestingly, 26 percent of those surveyed said their organizations were not outsourcing anything. These organizations may be missing an opportunity to focus more effectively on their core mission, Bell said.

“Honestly, organizations should ask themselves, what is their core function? You’ve got toy companies doing security. Why are you doing that?” he said. “You can find partners to outsource some of these elements out there. Nobody builds their own HVAC system and then sends somebody up to the top to do recharges of the coolant. Take a look at what you can outsource within the security model to keep your people fresh and doing relevant work for your business.”

Similarly, 48 percent of respondents said Software as a Service is the purchasing method their organization uses most often to procure new IT tools and services

What are your next steps with zero trust?
CDW’s Rapid Zero Trust Maturity Assessment
can help you see the path.

IT and security professionals seem to have a high level of confidence in many of the cybersecurity tools their organizations have deployed. Network security (89 percent), data security (87 percent) and encryption (85 percent) ranked as the solutions in which respondents said they somewhat or strongly agree that the tools are helpful.

Such confidence is important, as organizations face new attacks and tactics continuously. “We're seeing novel attacks such as those from Volt Typhoon actors right now against critical infrastructure targets,” Bell said, citing a Chinese state-sponsored hacker group. “Those not only represent a whole new challenge generally, but what we're finding is that these attacks are incredibly difficult to detect. To that end, defense is obviously important — that prevention aspect — but I would also say that detection and containment are equally important and should be a primary consideration.”

IT leaders at many organizations are unsure of which security tools to deploy against the vast number and variety of attacks they face. Bell suggests they seek guidance from organizations such as NIST and the Cybersecurity and Infrastructure Security Agency. “There are some interesting public resources that are available to everyone,” he said. “For instance, I'd advise anyone with an interest in response and recovery to become familiar with NIST’s ransomware risk management framework.”

What's next? Learn how better security
can improve your ability to innovate.