Exploring Ponemon Data: After 4 Years, Is Security Satiated With False Confidence?

Recently, IBM Security announced the results of the “2019 Ponemon Institute Study on the Cyber Resilient Organization,” the fourth annual look at cross-industry preparedness for cybersecurity. Each report has taken a year-over-year look at the current state of cyber resilience and the business’ ability to maintain its core purpose in the face of a cyberattack.

Now that we have multiple reports’ worth of insights to digest, what better time is there to dissect those trends from a macro view of what’s improved and where security still needs to improve its efforts to effectively respond to cyberattacks?

Security Leaders Are Feeling Good

There has been a lot of positive improvement since the first report in 2015, including how leaders feel about their current cybersecurity posture. Fifty-four percent rated their cyber resiliency as high this year, which is an improvement from just 35 percent in 2015. This seems to go along with their improved perception of preventing a cyberattack, which increased from 38 percent in 2015 to 53 percent this year.

The Ponemon reports also show that businesses are placing more value in cyber resilience. This year, 62 percent of businesses rated the value of cyber resilience as high, an improvement from 51 percent in 2015.

Chart showing progression of cyber resilience improvements

Chart showing progression of cyber resilience improvements

In theory, this is all good news. Leaders are saying they value cyber resilience more and, as a result, businesses have gotten better at preventing cyberattacks. Naturally, then, leaders feel positive about their business’ overall cyber resilience. But there is still some work to be done.

Confidence Is High, But Is It False? Crucial Areas Are Being Overlooked

Unfortunately, there have also been a few key areas where businesses either haven’t improved or have declined since 2015. Most concerning is the lack of consistent incident response plans. This year, 77 percent of organizations said they do not have a consistent incident response plan deployed across the organization, compared to 82 percent in 2015. This is a slight improvement, but there is still a long way to go, despite the feeling of confidence in overall cyber resilience.

This aligns with stagnation found in other areas. In 2015, 47 percent of businesses rated their ability to quickly detect a cyberattack as high, and it’s improved to just 53 percent this year. Businesses also have decreased confidence in their ability to contain a cyberattack once it has hit, dropping from 52 percent in 2015 to 49 percent today. Clearly, there is a problem if half of all security leaders don’t feel confident in their ability to detect a cyberattack, and then cannot quickly contain it once they’ve found it.

Chart showing areas for improvement with cyber resilience

Chart showing areas for improvement with cyber resilience

Douse Fire Drills With Incident Response Plans

It makes sense that security leaders would not feel confident in their ability to quickly contain a cyberattack if there is not a proper incident response plan in place. Being able to work quickly on a complex and evolving cyberattack requires an in-depth, consistent and repeatable incident response plan.

We know that high performers — study participants who have achieved a high level of cyber resilience — are far more likely to have a consistent incident response plan deployed. High performers were tops in preventing, detecting, containing and responding to cyberattacks, and just 5 percent of those do not have an incident response plan. It stands to reason, then, that starting with a well-defined incident response plan is crucial for cybersecurity overall.

Get Incident Response Plans Off the Ground

We’ve heard from respondents and our own customers that building a plan, keeping it up to date and deploying it consistently across the business is hard work. Whether it’s disjointed business units, too many politics in the way or no leadership support, incident response planning seems to fall by the wayside. But we know having a plan like this in place is crucial to cyber resilience, so how can security leaders overcome these challenges and set the business up for cybersecurity success?

Making incident response plans a reality starts with acknowledging that process is hard to scale, but can be made a lot easier with buy-in from leadership. To start, conduct an enterprisewide workshop to overhaul your incident response processes. This will establish the importance of cyber resilience in the minds of the C-suite as well as leaders from marketing, HR, legal, IT, customer service and other departments. When all stakeholders truly understand the benefits of a fully deployed plan, they’ll be much more invested and willing to contribute to building a standard, documented and repeatable incident response plan.

Of course, businesses will need the right tools and the right people in place to ultimately stop threats effectively. But tools and people are ineffective without a proper plan to guide them. Understanding the risks to the business through the process of building an incident response plan can help your leaders understand which tools to deploy and how many people are needed in crucial roles. By committing to — and consistently testing and adjusting — an incident response plan, this evolution will lead to cybersecurity maturity. From there, security leaders can start implementing automation to create a true orchestrated incident response process for the business.

Increase Efficiency With Orchestration

Once the strategy for an incident response plan has been put in motion, security leaders will have support for their positive feelings toward cyber resilience — which should result in growing confidence in Ponemon reports to come. With a consistent, repeatable incident response plan in place, the foundational pillars of people, process and technology will be set and businesses can mature their cybersecurity processes from there. The high performers lead the way with deploying orchestrated incident response processes, smartly automated tasks and the right people in the loop.

To learn more about the benefits of going through this journey and how getting to an orchestrated incident response model can positively impact the overall business, take a look at how to outsmart cyberthreats with security orchestration and automation.

Download the “Orchestrate Incident Response” e-book