Only 9% of global organizations are taking an agile, holistic and mature approach to secure identities throughout their hybrid and multi-cloud environments according to a new study by cyber security company CyberArk.
CyberArk had conducted a global survey to explore trends in identity security adoption and the relative maturity of organizations embarking on related strategies.
The report The Holistic Identity Security Maturity Model: Raising the Bar for Cyber Resilience found that in APAC, only 60% of C-level executive believe that they are making the correct identity security-related decisions. The gap highlights the perception that overall security can be achieved by making the right technology investments but that is only part of the story.
Strategically maximizing those investments to include implementation and integration with existing environments, breaking down silos and improved training are equally important.
As a result of a successful cyber security attack tied to an identity-related or permission/entitlement/credential-related incident in the last 12 months, APAC organizations suffered from the following business impact:
Loss of customers/revenue: 44%
Paid compliance fines: 47%
Had difficulty responding to an audit/failed an audit: 49%
Impact on the ability to provide services: 51%
Top reasons listed by APAC organizations that hold them back from optimizing its strategy on identity-related security issues are the lack of cyber security staff (41%) as well as the competency to secure identities (38%).
Over 40% of the global respondents’ identity security programmes, however, are in the earliest stage of maturity and lack foundational tools and integrations to quickly mitigate identity-related risk. An expanding identity attack surface, IT complexity and several organizational roadblocks contribute to this widespread identity security deficit.
The report includes the inputs of 1,500 cyber security professionals globally and also introduces a identity security maturity model to help cyber security leaders assess their current strategies, uncover risks and take steps to strengthen cyber resilience.
Cyber security needs to be aligned with business goals
The majority of organizations participating in a new cyber security survey were found to be reactive in their approach in defending against cyber threats and piecemeal when it comes to cyber security investments.
The survey conducted by cyber security firm WithSecure has found that most companies are investing in security solutions that are tactical and reactive, but not in line with strategic aims of the organization. The survey included more than 400 global cyber security and IT decision-makers and was conducted by Forrester Consulting.
The 22-page survey report published in March 2023 reveals that as a result of the current reactive approach the security goals become detached from business goals, resulting in organizations investing in defenses against threats that aren’t relevant to their business or goals.
According to Forrester an outcome-based security supports business goals rather than merely reacting to perceived vulnerabilities. It enables business leaders to simplify cyber security by cultivating only those capabilities that measurably deliver their desired outcomes as opposed to traditional threat, activity-based or ROI-based methods.
The report said a more holistic approach to cyber security should strive for outcomes related to risk management, customer experience, resilience and visibility of the threat surface and risks. The outcomes should also pertain to skills, resources and response speed and agility.
WithSecure cyber security adviser and head of solutions and product marketing Paul Brucciani said,
“Outcome based security is a way to make decisions about what you need to protect and how. But it’s a discipline, it is very easy to buy and implement a new tool, much more difficult to switch off the legacy systems.”
More than 80% of the survey participants said they were interested in, planning to adopt, or expanding their adoption of outcome-based security solutions and services, but 60% of them said their organizations are reactive, not proactive and they respond to individual cyber security problems as they arise.
CEO insights on cyber resilience
A first-of-its-kind study has attempted to explore the minds of CEOs in managing cyber risk.
The study was conducted jointly by ISTARI, a Temasek-founded global cyber security firm dedicated to helping clients build cyber resilience and Said Business School at the University of Oxford.
The study draws on 37 in-depth interviews with global CEOs, nine of whom have endured a serious cyber attack.
The 29-page The CEO Report on Cyber Resilience applies a top-management lens to cyber security risks and underscores the critical role CEOs play in building cyber resilience.
It shares insights from 37 American, Asian and European CEOs whose businesses' average annual revenue is $12bn, employing an average of 40,000 employees. One-third of the interviewees are from Asia. Nine of the CEOs interviewed had guided their company through a serious cyber attack.
The CEOs acknowledged that they are formally answerable to regulators, shareholders and their boards for cyber security yet the majority (72%) said they were uncomfortable making decisions about it, often leading them to delegate responsibility for and understanding of cyber security to their technology teams, which can jeopardize resilience.
ISTARI head of knowledge and insights and co-author of the report Manuel Hepfer said, "Many CEOs we spoke with highlighted the agonies of having to make existential decisions on imperfect information under extreme pressure in an area they lack familiarity and intuition."
The report outlines four mindsets CEOs need to lead cyber resilient businesses
1. All CEOs interviewed said they feel accountable for cyber security. However, a parallel ISTARI survey of Chief Information Security Officers (CISOs) found one in two European (50%) and almost a third of US (30%) CISOs did not believe that their CEOs feel accountable. This gap in perception, according to the research, lies partly in the meaning of accountability: instead of seeing themselves as accountable - being the face of the mistake - CEOs should assume co-responsibility for cyber resilience together with their CISO.
2. CEOs should stay away from blindly trusting their technology teams. Instead, they should move to a state of informed trust about their enterprise's cyber resilience maturity.
3. CEOs should embrace what the authors call the 'preparedness paradox': an inverse relationship between the perception of preparedness and resilience - the better-prepared CEOs think their organization is for a serious cyber attack, the less resilient their organization likely is, in reality.
4. CEOs should adapt their communication styles to regulate pressure from external stakeholders who have different and sometimes conflicting demands. Depending on the stakeholder and the situation, CEOs should either be a transmitter, filter, absorber or amplifier of pressure.