Cynet just released what may be the first-ever survey of CISOs with small security teams (access the survey report here), specifically those with 5 or less team members, to uncover how these teams are taking on increasingly complex cybersecurity challenges. The 2021 Survey of CISOs with Small Security Teams was conducted with 200 CISOs at 200 companies that have between 500 and 10,000 employees. These teams have unique challenges as they hold an essential role within their companies but do so with a small presence and often a small budget.
[Join a live webinar in which we present and discuss the survey findings here]
The CISOs surveyed believe that their risk of attack is higher than enterprises with larger security teams. Given the threat landscape facing today’s enterprises, it seems there’s a minimum threshold of staff, expertise and technology that is required to protect ANY organization, and most of those surveyed feel they simply do not meet that threshold. Facing higher risks with fewer resources puts these CISOs in a precarious situation.
The real danger is that the lack of protection these smaller organizations suffer is not missed by cyber criminals. They know that these smaller organizations are much easier pickings than larger, well-funded and better protected organizations.
Like many “fields of work”, there is a vast network of cybercriminals that rely on an extensive dark web network of tools and consultants. They can apply the tools and skills used to attack larger enterprises and achieve much higher success when attacking smaller organizations. Because cybercrime is essentially a business, even highly skilled cybercriminals weigh effort vs. reward potential and ultimately focus on smaller enterprises to better ensure success. Even lower skilled or “entry level” cyber criminals can target smaller organisations and expect a decent-enough success rate.
According to the survey, what are the CISOs at smaller organizations planning to combat these threats?
Outsourcing is one way to handle risk. This common approach is split almost equally between companies outsourcing to an MDR service (53%) and those that are using an MSSP service (47%). When using an MDR, 33% of CISOs prioritize 24/7 critical alerts and monitoring, 21% are looking for remediation capabilities, and 21% would prioritize incident response recommendations
When asked how small security teams are trying to reduce the impact of their unique challenges, 80% of CISOs responded that they would like to invest more in automation, proving that the tide is turning towards smart processes. 48% of CIOs revealed that they could have avoided some security incidents in 2020 if they had a bigger team. Without the ability to meaningfully expand their teams, automating processes would allow their current teams to do more with less.
The CISOs know which breach prevention technologies are essential, with EDR at 52% adoption, and 87% of CISOs seeing value from its use. 15% of CISOs report having an XDR solution in place. XDR adoption makes sense as it supports several tactics indicated by respondents, including the investment in automation solutions and processes (80%), consolidating security tools and platforms (61%) and replacing complex security technologies (52%).
The Bottom Line
Protecting an enterprise with a small security team and limited technology budget is like fighting with one hand tied behind your back. CISOs of small security teams must be highly creative, adept at stretching limited technology budgets and having their small teams wear many hats.
These are the CISOs that will push cybersecurity technology in the direction of improved usability by demanding automation and simplification at reasonable costs. These are the CISOs that cannot afford, both in terms of cost and resources, to purchase a broad set of defensive technologies and then integrate and support the necessary orchestration required to lavage the investment.
It behoves the cybersecurity industry to pay much more attention to this market segment. These are the CISOs, cybersecurity practitioners and companies that have been lost in the wake of proliferating technology and need more usable, simplified, pre-integrated cybersecurity solutions. Cybersecurity vendors should strive to address the issues raised in the survey.