Growth. It’s the common denominator of many aspects of cybersecurity.
The severity of threats and the likelihood of attacks have clearly grown, as they seem to do every year in recent history. However, so too has the investment in defense, innovation in technology, and knowledge to fight back.
At a high-level that may well sum up this year we’ve had in cybersecurity. On account of the many studies and reports we’ve reviewed on these pages over the last 12 months, here are 18 statistics and research figures summarizing 2019.
1) Cybercrime tops $6 trillion in costs by 2021.
Cybersecurity Ventures predicts cybercrime damages will cost $6 trillion annually across the globe by 2021. That’s double the figure from 2015, which came in at roughly $3 trillion.
2) Cybersecurity as a competitive advantage in business.
About one-third of business executives (34%) see cybersecurity as “a driver of competitive advantage or differentiation,” according to a study – The Modern, Connected CISO (PDF) – presented by research firm IDC and consulting firm Capgemini. Nearly half of respondents (46%) say security is “vital to the competitiveness” of a company’s products or services.
3) Financial services are 300 times more likely to be attacked.
“Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack,” according to a report by the Boston Consulting Group. “Dealing with those attacks and their aftermath carries a higher cost for banks and wealth managers than for any other sector.”
4) The average investment FinServ makes in security.
Financial institutions spend an average of .3% of revenue and 10% of their IT budget on cybersecurity, according to numbers tallied by the consulting firm Deloitte. That works out to about $2,300 per employee.
5) Cybersecurity and M&A due diligence.
A report by PwC, which aggregated data from several related studies, underscored two important cybersecurity concerns that should be examined during due diligence for M&A transactions:
- A 2017 survey, conducted by Donnelley Financial Solutions and Mergermarket, which found about 80% of dealmakers uncovered data security issues in about one-quarter of their deals over the previous two years.
- The consulting firm notes that two high profile breaches disclosed by Yahoo shaved 7% off its price when it was being acquired by Verizon. Those breaches also forced the seller to share any future risk related to cybersecurity.
6) Network security is getting harder.
A network security survey we conducted found 64% of security pros said network security is getting harder. Of those, 21% or about one-fifth of respondents overall said network security is getting much harder.
7) Visibility is the top cloud security challenge.
Oracle and KPMG polled more than 450 cybersecurity and IT professionals and asked: “What are the biggest cybersecurity challenges currently experienced by your organization today?”
Cloud visibility was at the top of the list:
- 33% said detecting and reacting to security incidents in the cloud;
- 29% said the lack of skills and qualified staff;
- 27% said the lack of alignment between security and IT operations teams;
- 26% said the unauthorized use of cloud services; and
- 24% said the lack of visibility across our data center and endpoint attack surface.
8) The top challenges in network security.
When presented with a list of well-defined problems in network security, respondents to the survey we published, identified the top challenges as follows:
- Insider threats – 44%
- IT infrastructure complexity – 42%
- Absence of leader support – 40%
- Lack of tool interoperability – 37%
- Shadow IT – 31%
- Weak controls for privileged access – 29%
- Cloud visibility – 28%
- BYOD – 26%
- Too many alerts – 22%
- Too many tools – 18%
9) MTTI lengthens in incident response.
Incident response (IR) generally takes too long and costs too much. For example, a global study by Poneman (conducted in 2018, but making rounds in 2019) found the mean-time-to-identify (MTTI) grew to 197 days from 191 days year-over-year. In addition, the time to remediate a breach also grew from 66 to 69 days. This all comes at a price too – the average cost of a breach tallied up to $3.86 million.
10) SOCs adopt threat hunting as risks change.
Threat hunting made the list of the “Top Seven Security and Risk Management Trends for 2019” by Gartner:
“The shift in security investments from threat prevention to threat detection requires an investment in security operations centers (SOCs) as the complexity and frequency of security alerts grow. According to Gartner, by 2022, 50 percent of all SOCs will transform into modern SOCs with integrated incident response, threat intelligence and threat-hunting capabilities, up from less than 10 percent in 2015.”
11) Threat hunting adoption is slow but steady.
A survey by eSecurity Planet found the adoption of threat hunting – the process of seeking out threats that may have evaded detection – stands at between 40% and 50% across security organizations. The survey noted the larger the organization, the “more actively engaged in threat hunting, with 51 percent engaged in threat hunting once a year or more frequently. That number drops to 40 percent for organizations of 100 employees or fewer.”
12) The benefits of threat hunting.
The “2019 Threat Hunting Report” by Cybersecurity Insiders identified the top benefits of threat hunting as follows:
- 62% said improving the detection of advanced threats;
- 51% said finding new ways of finding threats;
- 47% said reducing time wasted on chasing false leads; and
- 47% said discovering threats that could not be discovered otherwise.
13) Most security teams are understaffed.
The State of Cybersecurity 2019 report by ISACA found that 69% of respondents said their cybersecurity teams are understaffed and it can take six months or longer to fill vacancies. The study which polled 1,576 security professionals, also found:
- 69% said their teams are significantly (21%) or somewhat (48%) understaffed;
- 58% said their enterprises have unfilled cybersecurity roles;
- 32% said it takes six months or longer to fill those positions – that’s up from 26% reported in the same survey the previous year; and
- 82% cited better financial incentives, such as salaries and bonuses, as reasons for leaving an employer.
14) Top security pros are well integrated into the business.
A survey of 3,000 IT professionals by consulting firm PwC identified the top 25% percentile of performers among cybersecurity specialists. More importantly, it revealed what they do differently across several areas including the notion that top performers are well integrated into the business:
- 65% of top performers strongly agreed that the cybersecurity team was “embedded in the business, conversant in our business strategy and has a cybersecurity strategy that supports business imperatives” – vs. 28% of all respondents.
15) The relationship between cybersecurity and DevOps.
Security pros were split in what was roughly a three-way tie on the relationship with DevOps:
- 34% of security professionals say the relationship is strong;
- 35% say the relationship with DevOps is neither strong nor weak; and
- 27% say the relationship with DevOps was weak.
16) Average salaries for cybersecurity positions.
The average salary for a cybersecurity position in the U.S. is north of $100,000 according to several salary surveys. One study by Mondo offers more precise average salary figures by position:
- CISO: $175,000 – $275,000;
- Information security manager: $120,000 – $185,000;
- Application security engineer: $120,000 – $182,500;
- Network security engineer: $115,000 – $172,500; and
- Cybersecurity engineer: $110,000 – $165,000.
17) The security community needs tools that talk to each other.
Enterprises can accrue as many as 25 cybersecurity tools in their defense arsenal and many of these don’t talk to each other. In our survey, 37% of respondents ranked data interoperability as one of the top five challenges for network security. In addition, nearly 60% of respondents said the tools in their organization just somewhat share data or not at all.
18) Venture investment in cybersecurity continues to grow.
There’s a lot of investment fueling security innovation. Venture capital firms invested some $5.3 billion in cybersecurity startups, over about 350 deals in 2018. “That’s up from 20 percent – $4.4 billion – from 2017, and up from close to double on 2016,” according to TechCrunch.
* * *
What statistics stood out for you this year? Tweet us up: @BricataInc
If you enjoyed this post, you might also like:
3 Cool New Network Security Features in the Bricata Platform you Might have Missed