Only 20% of CISOs and cybersecurity leaders believe they could prevent a damaging breach today, despite 97% saying their enterprises are as prepared or more prepared for a cyberattack than a year ago. 

Ivanti’s State of Security Preparedness 2023 Report reflects how much work enterprises need to do to increase their cybersecurity preparedness for 2023.

CISOs need help making progress in organizations with a reactive checklist mentality that slows down progress. A checklist mentality is particularly noticeable in how security teams prioritize patches, with 92% of security professionals reporting they have a method to prioritize patches. Given the exponential increase in cyberattacks over the last two years, all patches are considered a high priority.

“Patching is not nearly as simple as it sounds,” said Srinivas Mukkamala, chief product officer at Ivanti. “Even well-staffed, well-funded IT and security teams experience prioritization challenges amidst other pressing demands. To reduce risk without increasing workload, organizations must implement a risk-based patch management solution and leverage automation to identify, prioritize, and even address vulnerabilities without excess manual intervention.”

Ivanti’s report also found that executives are four times more likely to be victims of phishing than other employees. Nearly one in three CEOs and members of senior management have fallen victim to phishing scams, either by clicking on the same link or sending money. Whale phishing is the latest digital epidemic to attack the C-suite of thousands of companies. 

Identifying the widest gaps in cybersecurity preparedness    

CISOs face the continual challenge of balancing multiple, sometimes conflicting, priorities to improve cybersecurity preparedness. One CISO of a leading electronics distribution company told VentureBeat it’s common for his organization to track more than 70 high-priority projects in a given year. Projects that address the most severe threats to revenue are fast-tracked, given their potential immediate impact on mission-critical systems and financial performance. 

Ivanti’s study found that CISOs and cybersecurity leaders are in for a challenging 2023, as four areas have critical-to-high predicted threat levels in 2023. They include ransomware, phishing, software vulnerabilities and DDoS attacks. “Threat actors are increasingly targeting flaws in cyber hygiene, including legacy vulnerability management processes,” Mukkamala told Venturebeat.

Enterprises have most often experienced phishing, software vulnerabilities, and ransomware attacks in the last 24 months. These three areas have the highest predicted threat levels going into 2023. Image source: Ivanti’s State of Security Preparedness 2023 Report.

CISOs say they are least prepared to defend against supply chain vulnerabilities, ransomware and software vulnerabilities. Just 42% of CISOs and senior cybersecurity leaders say they are very prepared to safeguard against supply chain threats, with 46% considering it a high-level threat. 

Ivanti’s research team calls supply chain vulnerabilities, ransomware, software vulnerabilities and API-related vulnerabilities “inverted” threats, where preparedness levels lag estimated threat levels. Based on conversations VentureBeat has had with devops teams across enterprises, it’s clear that software bills of materials (SBOMs) need to be a top priority going into 2023.

Inverted threats are making CISOs’ jobs even more challenging as they’re forced to play catch-up on multiple fronts while securing the ongoing operations of an enterprise. Image source: Ivanti’s State of Security Preparedness 2023 Report.

Procrastinating about patch management can be lethal 

Not getting patching right can have disastrous consequences, as the global double-digit growth rates of ransomware attacks illustrate. Targeted ransomware attacks nearly doubled in 2022, with over 21,400 ransomware strains detected. IT and security professionals need to work on patch management as the majority of them, 71%, see it as overly complex, cumbersome and time-consuming. 

In addition, 57% of those same professionals say remote work and decentralized workspaces make patch management even more of a challenge, with 62% admitting that patch management takes a backseat to other tasks. Legacy approaches, including inventory management by spreadsheet to track patches, are proving too time-consuming for IT teams to rely on, making automated approaches far more effective.  

Ivanti’s research team found that patches become a priority when attackers impact mission-critical systems. 61% of the time, it takes an external event to trigger patch management activity in an enterprise. Being in react mode, IT teams already overwhelmed with priorities push back on other projects that may have revenue potential. 58% of the time, it’s an actively exploited vulnerability that again pushes IT into a reactive mode of fixing patches. 

In 2023, enterprises need to automate patch management and get out of the vicious cycle of constantly reacting to attackers’ intrusion and breach attempts on out-of-date systems and endpoints. Getting patch management right using automation frees IT teams to work on projects that directly impact revenue and grow the business. Getting patch management right can save and grow profits.

IT teams are in react mode regarding patch management, driven to take action by attackers’ attempts to compromise mission-critical systems and actively exploit vulnerabilities. Image source: Ivanti’s State of Security Preparedness 2023 Report.

Reduce tech stack complexity 

CISOs are concentrating on consolidating their tech stacks to make them more efficient and save on costs. Many enterprises want best-of-breed solutions for each aspect of their cybersecurity strategy. Integrating acquired best-of-breed applications has proven challenging as each app has a different revision cycle, approach to API integration and pricing model. 

“This is one of the very few sub-sectors of technology where the onus of integration is always transferred to the customer,” said Nikesh Arora, CEO of Palo Alto Networks, during his keynote at the company’s IGNITE22 conference this week. He continued, “in the cybersecurity industry, we have created so much fragmentation that, over time, the onus of integration belongs to the customer.” 

It’s understandable how tech stack complexity is the most significant barrier to enterprises improving their cybersecurity preparedness today. 37% of CISOs and security leaders point to how complex their tech stacks have become as an impediment to improving their cybersecurity posture. 

That’s closely followed by the chronic skills gap, labor shortage in cybersecurity and challenges getting cybersecurity training right. Ivanti comments in the report that “this gap reinforces findings by many other studies, including a recent report from ISC2 that found the global cybersecurity workforce gap increased by 26.2% in 2022 compared to 2021, and 3.4 million more workers are needed to protect assets effectively.”

Getting tech stack complexity under control is core to improving cybersecurity preparedness as enterprises continue struggling with integration challenges across apps and continual patches that need to stay in sync stack-wide. Image source: Ivanti’s State of Security Preparedness 2023 Report.

More breaches, more budget 

With a record number of ransomware attacks this year, it’s also understandable why cybersecurity budgets continue to increase. CEOs of enterprise cybersecurity companies tell VentureBeat that boards of directors are prioritizing cybersecurity spending as a core part of their risk management strategies. 

With boards supporting more spending on cybersecurity, it’s not surprising to see 71% of CISOs and security professionals predict their budgets will jump an average of 11%. That’s well above the projected inflation rate for next year. Ivanti notes in their report, “that’s roughly three times the expected budget growth in compensation for 2023, according to the Society for Human Resource Management.” The report quotes Lesley Salmon, global chief information officer at Kellogg, who recently told the Wall Street Journal, “If I get a budget challenge, it doesn’t come out of cybersecurity.”

CISOs and security leaders are optimistic about next year’s budget, as boards of directors classify cybersecurity spending as a core part of their risk management strategies. Image source: Ivanti’s State of Security Preparedness 2023 Report.