XM Cyber’s 2024 Survey on the State of Security Posture Reveals Remediation Efforts Falling Behind Surging Exposures
January 2024 by XM Cyber
XM Cyber released findings from its 2024 State of Security Posture Survey. The report, based on a survey of 300 CISOs and security decision-makers from large organizations in the US and UK, assesses how exposures are being remediated, the level of effort invested in this undertaking, and the motivations behind such efforts.
The report provides valuable insights for organizations striving to navigate the evolving threat landscape effectively. Several key themes emerged from the responses, painting a comprehensive picture of the current state and challenges in cybersecurity.
Notable Trend 1 - Increased effort is going towards an ever-growing number of threats, leaving a gap that is currently not being closed
First is a trend towards increasing commitment to remediation efforts. 87% of organizations indicate plans to enhance vulnerability and exposure remediation efforts within the next year. This decision comes despite challenges, such as a shortage of skilled personnel and the burden on existing security teams. Additionally, 62% of IT and security teams are actively engaged in remediating exposures, handling an average of 12 per week. This indicates substantial yet insufficient effort given the thousands of Common Vulnerabilities and Exposures (CVEs) as well as the ever-growing number of exposures such as misconfigurations and credential issues that are increasingly exploited in attacks.
The survey also reveals the growing complexity and volume of cyber threats. 82% of companies report an expanding gap between the number of exposures and their ability to manage them. This widening gap reflects both the increasing volume and sophistication of cyber threats. Moreover, the struggle with outdated legacy systems, as reported by 90% of respondents, underscores the difficulty in aligning older systems with emerging threats, highlighting the need for a new approach.
Notable Trend 2 - Organizations suffer from technological and communication siloes
Another prominent theme is the focus on cloud and integrated cybersecurity strategies. Roughly 45% of organizations identify the cloud as a primary area for enhancing security posture, indicating a shift towards cloud-centric security concerns. However, nearly half of the organizations surveyed manage exposures separately for on-prem and hybrid cloud environments. This suggests a growing need for integrated, holistic approaches, moving away from siloed strategies that leave gaps in defense mechanisms.
Challenges in communication and organizational alignment are also evident. Approximately 68% of companies emphasize the importance of effectively conveying security posture to leadership. The report also notes a discrepancy in processes at different organizational levels, with more senior roles reporting more formalized processes than do those on the operational frontlines, indicating a potential disconnect in understanding and addressing cybersecurity challenges.
Notable Trend 3 - Organizations are looking for scalable and adaptable solutions
Lastly, the survey addresses the aspect of centralized management and scalability. About half of respondents report using a single program to manage exposures, a trend more prevalent in smaller organizations. In contrast, larger companies often face challenges in implementing such centralized approaches, underlining the need for scalable, adaptable solutions catering to the diverse needs of organizations of different sizes.
The findings underscore the critical need for organizations to evolve their cybersecurity strategies. As threats become more sophisticated, the emphasis shifts from traditional threat management to a more comprehensive approach that encompasses cloud environments, identity management, and effective communication. The report highlights the urgency of adopting scalable and integrated solutions to address the complex cybersecurity landscape effectively.
"The data highlights two crucial gaps that need to be bridged: the expanding gap between exposures and remediations, and the communications gap between security operators and leadership,” said Boaz Gorodissky, CTO and Co-Founder of XM Cyber. “It’s a call to action for organizations to not only invest in advanced solutions but also to foster a culture of cybersecurity awareness and collaboration.”
XM Cyber conducted a survey involving 300 full-time employees, including influential decision-makers such as CISOs, Directors, VP/Heads of Security, and other senior cyber professionals responsible for purchasing decisions. These participants were strategically sourced from 210 organizations in the US and 90 in the UK, all with 2,500 employees or more. The survey, spanning the second half of 2023, was conducted in collaboration with Global Surveyz, an independent survey company.