Cyber professionals in North America prioritized reactive information security spending during the third quarter of 2020, allocating more dollars to response and recovery than to proactive efforts to prevent breaches, according to a survey conducted in October.
The Cybersecurity Resource Allocation and Efficacy Index (CRAE) Index, based on CyberRisk Alliance’s quarterly survey of cybersecurity professionals at North American and European organizations, did show a slight uptick among all respondents in proactive spending compared to the prior quarter, as organizations around the globe continue to respond to risks tied to the pandemic.
The CRAE Index developed by CyberRisk Alliance (CRA) Business Intelligence and underwritten by Pulse Secure (recently acquired by Ivanti), looks at the five major components of the National Institute of Standards and Technology (NIST) Cybersecurity Framework: detect, protect, identify, respond, and recover. Detecting, protecting, and identifying are considered proactive security efforts, while responding and recovering are considered reactive. During the third quarter, the CRAE Index edged up to 66.7 in third quarter from 66.5 in Q2.
The latest survey reveals that more than half of European respondents (52 percent) continued to deal with phishing and other identity/credential theft. Endpoint malware; web/cloud attacks; unauthorized resource, application, or data access; and exfiltration of sensitive data also commanded drew resources among organizations.
Despite respondent accounts of increased downtime, reduced productivity, and revenue losses, their confidence about defending against cybersecurity attacks and threats remains strong as indicated by the Efficacy Index reading of 74.2, although a 1.6-point dip in Q3 hints that positive sentiment might be waning.
How to read the numbers: The index is based on a 100-point scale. A score of 50 indicates no change in investments; a number higher than 50 indicates an increase and a number lower indicates a decrease. In this index, every category is above 50, indicating that all areas are increasing, albeit at different rates — faster or slower — than the previous quarter.
Overall, three out of five framework sub-index component index readings —identify, protect, and recover — rose in Q3 as organizations reported increased resource and spending allocations for proactive cybersecurity measures, such as process improvements, system and software upgrades, and increased employee awareness and training.
Efficacy sentiment for four out of five activities also increased, although at a slower pace in Q3. “Recovering” efficacy expanded slightly faster on average, reflecting the increased confidence of respondents about their initiatives to recover from information security events and breaches. CRAE Index edged higher during the third quarter, with information technology professionals investing more in security.
The third quarter also revealed a continuing divergence in the priorities of North American and European organizations. Europeans were more focused on proactive spending against breaches, while North Americans on reactive. The trend continued a pattern established in the second quarter.
Cultural differences might be in play as well, mirroring variations, for example, in differences in health care delivery models in Europe and the U.S.
As COVID-19 cases continued to soar domestically and around the world, the index edged up to 66.7 in the third quarter of 2020 from 66.5 the previous quarter. That translates to negligible growth of resources and spending allocations toward mitigating increased cyberrisks. Although some components of the index indicate marginal movements up and down, the index shows that companies with 500 or more employees in North America and Europe increased proactive security measures to protect assets and detect breaches during the period, outpacing more reactive activities, such as responding or recovering from breaches.
The index continues to show that those security professionals who took proactive measures were more satisfied with the impact of their efforts than those who focused on reactive measures.
The run-up to the U.S. presidential elections, and the potential for cyberattacks surrounding that event, also influenced cybersecurity asset allocation and spending. Companies’ approaches to these conditions suggests confidence in the cybersecurity strategies they had in place as they entered the crisis period. That confidence appeared to remain high as the year progressed.
How confidence influenced investment
In comparing overall respondents’ confidence about IT security initiatives, the Q3 Efficacy index registered at 74.2, down slightly from 75.8 in Q2. This indicates positive sentiment continued to expand this quarter, but at a slower pace compared to last quarter.
CRA found the same general pattern of increased investment and confidence across the five major NIST categories of detecting, protecting, identifying, responding, and recovering from security incidents. The category of “Protecting systems, assets, data, or capabilities from cybersecurity events or threats” got the highest score for Resource Allocation and Spending (69.7) and one of the highest for Efficacy (75.0). This is where employee training is categorized.
Within the “detecting” category, where the overall resource and spending score was 66.7, the strongest driver was “purchasing, building, upgrading, or implementing ‘secure access’ technology to prevent cyber incidents and threats regarding unauthorized or insecure application and data access by users, endpoints, and IoT devices.” Some 45 percent of respondents said they were increasing purchases and 42 percent said they were increasing proactive checking that anomalies and events could be detected. Still, the detecting category saw slightly slower growth than the previous quarter.
In North America, spending on detecting threats, which includes purchasing, building, upgrading or implementing continuous monitoring technology to monitor cybersecurity events, increased, but at a lower rate than the previous quarter. The 2.5 drop for detecting was the largest point drop in North America of all the components measured.
Despite the European focus on proactive defenses, from a budget allocation perspective the index showed North America spending 20.3 percent on identifying cybersecurity risks to the Europeans’ spending of 20.4 percent. While spending percentages were very close, the Europeans saw a much faster expansion of resources and spending allocation. Interestingly, both regions saw a slower expansion of efficacy, with the Europeans index slowing to 73.5 from 75 while North America slowed to 71.8 from 76.2 — a 4.4-point drop.
That slower expansion of efficacy in identification was mirrored in the protecting category, where the North American index fell to 73.1 from 77.4. In Europe, however, efficacy increased at a higher rate, growing to 79.0 — the highest efficacy level of all measured — from 74.5 in the previous quarter. This indicates that the Europeans are increasingly pleased with the results they have seen in protecting their assets during the third quarter.
More than half of all respondents (52 percent) said they faced increased threats from phishing and identity/credential thefts during the quarter. When asked an open-ended question about their concerns, many mentioned the disappearing network perimeter due to work-at-home arrangements.
Other comments from respondents included some basic but effective means of protecting companies from cyberattacks. One Canadian financial services respondent said: “Increased phishing attacks and employees working from home led to increased vigilance requirements around training and awareness and detection and monitoring requirements.” A health care respondent from the U.K. said they “used [a] third-party verification system to verify security.”
While the pandemic and remote work were often cited as a reason for increased focus on information security, it was not the only one concern. A U.K. financial services respondent identified “the use of firewall software to protect from hackers for remote working sites” as a key concern while a Canadian high tech/IT respondent said, “moving off site remotely has disconnected us a bit in how we watch and resolve our IT concerns; this needs to improve.”
The pandemic changed a lot of business-as-usual functions throughout the IT arena. A French manufacturing respondent said, “We have used more AI and implemented passwordless authentication. We use AI and log analysis products for threat identification and use this data to evolve our response and [a] monitoring strategy.” Similarly, a North American health care respondent noted, “We have become proactive since the pandemic. Everyone started working remotely, especially in the areas of user behavior monitoring, including device monitoring. [We] have added additional authentication if we find an anomaly.”
About the Cybersecurity Resource Allocation and Efficacy Index
The CRAE Index comprises two composite indices — Resource/Spending and Efficacy — to monitor the state of organizations’ allocations and spending on cybersecurity activities and their perceptions about the efficacy of these measures.
The CRAE Index uses the National Institute of Standards and Technology (NIST) Cybersecurity Framework which includes five components: Identify, Protect, Detect, Respond, and Recover. Index data is derived from quarterly surveys among 300 business, IT, and cybersecurity professionals at organizations with at least 500 employees in manufacturing, IT/Tech, financial services, and health care industries in North America and Europe. CyberRisk Alliance Business Intelligence and SC Media are divisions of CyberRisk Alliance.
For more information on how you can partner with CRA Business Intelligence, please contact Dave Kaye, Chief Revenue Officer.