ISG Provider Lens™ Cybersecurity - Solutions and Services - Security Service Edge (Global) - U.S. 2023
CISOs will invest in eliminating threats and reducing costs, enhancing UX and risk posture
The year 2022 saw multidimensional challenges, which helped revolutionize the U.S. cybersecurity market from different perspectives. In that year, the U.S. witnessed more than 1,800 reported breaches, which was slightly lower than in 2021, which saw 1,862 incidents. However, the sophistication of the attacks was significantly higher in 2022, with more than 422 million individuals impacted compared with 298 million in 2021. The decline in breaches was partially due to federal laws that issued rulings to report only during actual damage and not for a potential one. While most large firms issued a breach notice, the notices had little to no information on the extent and impact of the attacks. Industry sources cite that the average time to identify a breach is about 207 days, which is almost half a year; the impact of the breaches is either unknown or not investigated further.
The second half of 2022 witnessed changes, with the U.S. government recognizing the need for strong regulations and policy changes that would encourage enterprises to invest in holistic cybersecurity solutions to protect their business and their clients. While the national Cybersecurity Strategy is aimed at prioritizing cybersecurity as a critical component of the economic prosperity and national security of the U.S., it also addresses the fundamental notion that the private sector holds the key to the public good of cybersecurity.
ISG is of the view that a large portion of the SMB market is invariably linked to large corporations directly and indirectly as part of a larger supply chain. Therefore, it is imperative for SMBs to invest in appropriate security measures to address all vulnerabilities and fill gaps in controls and policies; in short, approach security as a holistic responsibility across the business environment.
ISG’s analysis indicates that U.S. enterprises continue to face challenges like their counterparts in other regions. However, the market shows a stark distinction in approach and investment, given the varied levels of digital transformation between large and small enterprises. Therefore, the approach to identifying challenges and the ensuing activities to ensure a secure environment is largely aligned with the enterprise’s digital maturity, irrespective of its size.
ISG has identified the following challenges enterprises face:
- Expensive attacks and threats: U.S. enterprises continue to face increasingly sophisticated attacks, with cybercriminals employing complex and creative methods. Enterprises struggle to identify threats from unprotected devices and endpoints, vulnerabilities in applications and software, cloud misconfigurations and control policies, legacy infrastructure and internal threats. The cost of a data breach has increased over the years, with increasing expenses related to lost opportunities, regulatory fines and forensic investigation. Attackers are using sophisticated phishing techniques, malware and ransomware to target unsuspecting enterprises. In 2022, cybercriminals were specifically targeting enterprises in the healthcare and education sectors. The cost of a breach, especially in the healthcare sector, is exponentially high in the U.S. with the loss of confidential patient data. Moreover, the healthcare sector is connected to several other critical industries, including banking, finance, payments and insurance, making it particularly attractive for malicious intent.
- Supply chain attacks: Cybercriminals have been attacking weak links in the enterprises’ supply chains, such as their customers, third-party vendors and suppliers. Software supply chain attacks are expected to be the largest reason for compromised identities and data leakage. Enterprises can no longer remain satisfied with just securing their perimeters and plugging vulnerabilities but must also ensure that their partners and suppliers adhere to the highest standards of security. The situation becomes further complex as enterprises increasingly wish to adopt open-source software and develop applications in the cloud, prompting software developers to unintentionally use libraries available online. Threat actors have utilized these channels to embed malicious code and exploit the entire chain of enterprises with targeted attacks. Enterprises are struggling to adopt policies and procedures to undertake continuous assessments and audits of their supply chain partners to ensure changes in behavior, detect vulnerabilities and deception techniques and develop agile isolation capabilities.
- Government regulations and sanctions: The announcement of the National Cybersecurity Strategy policy also indicates that the government and the public are aware of the importance of undertaking voluntary cyber hygiene programs and, at the same time, are aware of the recurring failures due to the soft enterprise measures. The strategy takes recourse in new regulatory frameworks that shift accountability, incentivizing enterprises to set up the appropriate defense against critical vulnerabilities. The U.S. Securities and Exchange Commission (SEC) also proposed cybersecurity measures in 2022 that came into effect in April 2023, once again highlighting the understanding among C-level executives of the criticality of security risks and the requirement for increased transparency in dealing with breaches and threats. Enterprises will be required to disclose cybersecurity experience of board of directors on their 10-K and 8-K forms, governance methods and risk analysis and management processes and incidents deemed malicious within four days of determining that such a situation has occurred.
- IoT and transformation initiatives: Enterprise investments in digital technologies toward their transformation journeys, with IoT, AI and ML, have resulted in increased vulnerabilities that are unknown and inconspicuous. The adoption of IoT has increased the number of endpoints, with enterprises sometimes having little to no visibility of the entire network comprised of a large number of devices. Moreover, some IoT devices and deployments do not follow standard protocols, leaving them vulnerable to attacks, and the limited security integration capabilities make them impossible to protect. Apart from limited visibility, IoT poses other challenges arising from the use of open source software, unpatched vulnerabilities, APIs and weak password protection. The increased sprawl of IoT devices also means that attackers will no longer exploit individual endpoints but the entire network to create botnets for extensive distributed denial of service (DDoS) attacks. These attacks, especially on critical infrastructure, will prove to be devastatingly costly from both a monetary and a socioeconomic perspective.
- Skills and gap talent: U.S. enterprises continue to face a shortage of cybersecurity talent and skillsets, with industry sources citing nearly 700,000 unfilled positions. Apart from the explosive growth of technology becoming a challenge for cybersecurity professionals, enterprises are also struggling to retain employees due to their requirements for multiple certifications and years of experience and the investments needed to keep skills up to date. Industry sources cite that the average experience for cybersecurity professionals is around six years across U.S. enterprises, further creating challenges with handling legacy security tools and solutions. Moreover, enterprises are struggling to retain employees due to the change in work culture post-pandemic, and because of competition from technology start-ups offering attractive packages and career opportunities, which is triggering job hopping.
- Remote and hybrid work: Although enterprises are expecting and urging employees to return to work, the work culture and workplace have undergone a significant evolution with the adoption of emerging technologies. Enterprises are challenged by their expanded perimeter due to the investment in devices, endpoints, cloud and applications that are enabling remote and hybrid work. These factors have contributed to the increased attack surface and vulnerabilities because most of these investments were focused on attaining uninterrupted operations, but without the necessary diligence and control policies in place. Enterprises are also challenged by limited visibility across devices and applications and from complexities arising from insider threats.
Enterprises are taking necessary initiatives to reduce attack surface by focusing on the following
- Focus on business resilience: Since 2021, cyber resilience has been gaining mindshare among C-level executives across U.S. enterprises, with 2022 seeing the evolution of resilience widening to include business and operational aspects. While enterprises have been investing in intelligence-led detection and response solutions, they are also keen on investing in rapid recovery and business continuity capabilities. U.S. enterprises understand that investing in point solutions will not suffice; they need to take a holistic approach, assessing their risk appetite and maturity in implementing relevant solutions that mitigate business risks. Enterprises view resilience as a key factor in bolstering their ability to survive in the face of threats and for maintaining trust, responsibility and accountability, while ensuring high levels of CX.
- Industry-aligned cybersecurity: Enterprises are investing in identifying vulnerabilities and risks that are unique to their business and ecosystem and are taking proactive measures to test and understand their threat landscape. With attackers targeting specific industries such as healthcare, utilities, automotive and education, enterprises are keen on investing in cybersecurity solutions that align better with their industry-specific regulations, threats and attack vectors. Besides compliance, controls and frameworks, attackers are exploiting similarities in unpatched vulnerabilities and backdoors to launch phishing campaigns that lead to breaches.
- Zero trust and SASE: As more enterprises invest in the cloud as a way to achieve digital transformation and support remote and hybrid workers, the Zero Trust framework has become an imperative investment. The framework’s Never Trust, Always Verify tenet helps address multiple aspects, including perimeter-less enterprises, mutual authentication, explicit scrutinization, continuous monitoring and micro-segmentation of the network. The framework requires a thorough understanding of existing security solutions and requires phased investments to consistently deploy security measures deemed relevant for an enterprise. Security service edge (SSE) is another approach that supports their cloud migration journey and allows enterprises to start with small investments and progress rapidly.
- Adhering to regulations: Enterprises seek to undertake continuous and periodic risk assessments and audits across different areas, covering changes related to business strategy, supply chain, M&A and financial exposure. Apart from this, spending is focused on conducting periodic vulnerability scans and penetration tests to identify access points that are not secure and visible to security analysts. CISOs engage with providers that have red teams to simulate sophisticated cyberattacks to better understand vulnerabilities and weak access points and determine how adversaries can access sensitive data or disrupt networks. Enterprises are also adopting stricter measures and processes to thoroughly assess third-party vendors and software suppliers to minimize the risk of attacks through the supply chain. From a prevention perspective, enterprises will become more cautious and invest in measures, including patching known exploits and deploying anomaly detection tools. As a comprehensive and overall strategy, they are investing in strong response and recovery plans to minimize the scale and impact of breaches.
- Human-centric training and awareness: Enterprises focus on providing awareness training to their employees to embed a cybersecurity-centric culture that would help reduce human errors and internal threats. Enterprises are also seeking innovative and user- oriented training that would help beyond just certification and instill a cybersecurity culture. Enterprises are willing to invest in multi-pronged security training to ensure a better understanding of sophisticated attack campaigns and vulnerabilities. Apart from addressing data breach, the trainings are expected to help address areas such as improved compliance, UX, employee well-being and customer assurance.
Considering there are challenges in aligning the CISO and overall enterprise objectives, ISG has analyzed CISO-specific challenges that hamper the effective security of an enterprise.
- Recessionary fears impacting budgets: CISOs are faced with constrained budgets, with the fear of a looming recession undermining their ability to defend their businesses against the ever-increasing frequency and sophistication of attacks. In some cases, budget reduction results in an executive board contemplating the right balance between ROI and the possibility of an actual attack. The economic headwinds have strained the ability of the CISO to invest in security solutions or hire relevant cybersecurity personnel. CISOs are struggling to allocate budgets and prioritize security solutions and services that would help drive value and enhance risk posture.
- Fatigue and alerts: Security teams are swamped with work related to alerts, tools, technologies and intelligence, and other challenges. While these teams must learn to adapt themselves to emerging security technologies, they also need to gain a better context and understanding of the behavior of attackers and indicators of compromise (IoC), which would help them identify breaches and vulnerabilities. While most existing solutions offer alerts, the increased recurrence is likely to have an adverse impact on adherence to safety protocols. The market is also flooded with multiple tools and technologies claiming to have the ability to address security threats and attacks, making it difficult for security professionals to choose the optimal solution for their infrastructure. The market is also facing the challenge of incorrect information related to threat intelligence, which further puts a strain on security analysts, creating distrust and fatigue and affecting their morale and effectiveness.
- Tool sprawl: U.S. enterprises have an average of more than 25 security tools and solutions in place, according to industry sources. This volume complicates management and creates challenges in providing effective security. Apart from the challenges arising from legacy systems and related outdated and unpatched vulnerabilities, the lack of technical support and tool sprawl lead to other issues, including difficulties in integration with other tools and operationalizing them. Tool sprawl is also identified as the cause of increased fatigue and burnout while enterprises struggle to find appropriate talent to offer support with these technologies.
- Cloud security: The unprecedented rate at which enterprises are adopting the cloud has prompted CISOs to quickly understand the security boundaries of their enterprises and determine responsibilities. Cloud misconfigurations have been cited as the most common area of security compromise, leading to the loss of data to cybercriminals. CISOs are also challenged with identifying where the data resides and when it is in motion to aid a better security posture throughout the data lifecycle.
CISOs are actively seeking the following solutions and services that will help them to improve the current situation.
- Aligning with business objectives: CISOs are looking for solutions and services that help them better prioritize their cybersecurity initiatives and align them with enterprise business objectives. Apart from monitoring the threat landscape, CISOs are keen on educating board members on risk management capabilities relevant to an enterprise to ensure business resilience and growth. CISOs are looking to invest in solutions that can address industry-specific security threats, fostering a comprehensive security culture, creating awareness about insider threats and making cybersecurity a business problem rather than a technology problem.
- Tool and vendor consolidation: CISOs are looking for solutions that help address tool sprawl and technology rationalization. Cybersecurity services and solutions that enable better integration with existing tools and deliver intelligence to enable the appropriate response will gain traction. CISOs will invest in solutions that help them consolidate various tools and technologies, yet offer holistic detection and risk mitigation functionalities. They are no longer keen on investing in best-of-breed capabilities, but rather on integrated product suites and single vendor platforms that will offer relevant risk management better suited for an enterprise’s risk appetite.
- Risk prioritization and quantification: CISOs are investing in risk assessments and audits that help to better prioritize threats and risks specific to their business. Cybersecurity solutions and services that offer in-depth intelligence with industry aligned assessments hat consider supply chain risks are gaining traction. Although in the early stages, CISOs are investing in risk quantification solutions that allow them to engage and convince C-level executives to invest in appropriate security technologies. While the market is flooded with comparable scoring and benchmarking tools, CISOs are preferring solutions that can quantify risk in terms of monetary losses, which enables them to prioritize as well as educate board members to take appropriate security measures.
- AI- and automation-driven intelligence: Security teams are looking for solutions with the highest level of automation. AI that can sift through alerts and logs to provide in-depth threat intelligence. Besides alert fatigue, CISOs are investing in humancentric solutions that leverage context- and behavior-led engines to detect threats and vulnerabilities. In addition to mitigating threats, these solutions offer intelligence to understand the kill chain and malicious behavior to prepare for and prevent such attacks in the future.
- Utilizing outsourced services: Managed services will become the new normal and de facto choice for enterprises, across different sizes, given the complex threat environment and lack of talent. CISOs will look for solutions that can integrate better with existing security tools or invest in integrated suites with extended detection and response (XDR) capabilities across the IT environment. CISOs will invest in MDR, XDR and MXDR solutions and services that consolidate intelligence across the IT infrastructure and security tools and prioritize them with remediation, including isolation of threats handled by security experts from an advanced SOC.
Notes on quadrants: The Security Service Edge (SSE) quadrant is analyzed from a global perspective, given its early stages of maturity and because enterprises taking a phased approach to investing in these solutions.
Notes of quadrant positioning: In this study, several security services and solution providers that offer similar portfolio attractiveness in most quadrants are assessed. This reflects the relative maturity of the market, providers and offerings. It is a given that not all are equal in circumstances. The vertical axis positioning in each quadrant reflects ISG’s analysis of how well the offerings align with the full scope of enterprise needs. Readers will also note similarities in portfolio axis (vertical axis) positioning with providers included in ISG’s Provider Lens™ U.S. Public Sector Cybersecurity Solutions and Services study.
Access to the full report requires a subscription to ISG Research. Please contact us for subscription inquiries.