Endpoint security, cloud security, incident response and identity and access management (IAM) are the top cybersecurity concerns for security and IT professionals in 2023, research by CyberRisk Alliance (CRA) has revealed.
Those four issues were ranked highest by respondents in several CRA surveys who were asked to list their top priorities for the new year. Each was ranked in the first, second or third spot (out of 10) by between 41% and 38% of survey respondents.
Close behind were vulnerability management and ransomware, ranked in the top three by 36% and 34% of respondents, respectively. Farther behind were zero trust (25%), threat intelligence (18%), third-party risk (16%) and hiring more IT or cybersecurity staff (13%).
Despite the ongoing trend toward cloud security, endpoint security edged past that topic to take the No. 1 spot, with 41% of respondents ranking it among their top three priorities.
This may be due to the proliferation of non-traditional endpoints in the workplace, such as mobile phones, Internet of Things devices, medical hardware and even pieces of critical infrastructure. That's according to a September 2022 CRA survey examining endpoint security.
"The most significant hurdles our organization faces in this environment are dealing with the multitude of new mobile devices and OSes being introduced at a faster pace," said one person surveyed. "It makes securing them as endpoints a challenge since the accompanying security solutions tend to lag the introduction of these devices and OSes."
Echoing those worries, an Ernst & Young study released in October 2022 found that nearly half of people under 40 said they took cybersecurity more seriously on their personal devices than on their workplace ones.
As for cloud security, ranked among the top three priorities by 40% of respondents, an October 2022 CRA survey found widespread difficulty in securely deploying and managing cloud-based systems.
Nearly half of Amazon Web Services users reported misconfiguration problems, as did 40% of Microsoft Azure/Cloud customers and 35% of Google Cloud Services users. About a quarter of respondents said they had trouble understanding the shared-responsibility model, while others reported being unable to see exactly who and what had access to cloud instances.
"We need a fool-proof way to check all configurations under one single pane of glass and have that information be clear and accurate," said one.
Like endpoint protection, incident detection and response may feel old-fashioned in the forward-looking cybersecurity industry. Yet 38% of 2022 survey respondents placed incident response among their highest priorities.
An April 2022 CRA study on extended detection and response (XDR) may explain why. Forty-seven percent of respondents said their existing security solutions had failed to properly notify them of threats at least once in the previous year, while only 17% were "very satisfied with their ability to correlate security data across all products and services."
"We didn't see any red flags," said one survey respondent. "Everything was normal. However, we were actually under attack. Even though we discovered it in less than 10 days, that's still a lot of time when you're under attack."
Identity and access management was also ranked among the top 3 priorities by 38% of 2022 respondents. A CRA study examining email security (June 2022) reflects that.
Half of respondents said they were "very concerned" or "extremely concerned" about email-based attacks in the upcoming year, although ransomware and other forms of message-borne malware were as much of a worry as stolen credentials.
"While we do run training sessions and communicate about fraudulent emails, people still click on things they shouldn't, open up emails or attachments when they shouldn't," said one respondent. "If they don't get a big red warning from the security systems, they just don't think about every email they touch."
Runners up: Ransomware, zero trust, third-party risk
Surprisingly, ransomware was ranked only No. 6, with 34% of respondents listing it among their top three priorities. A November 2022 CRA ransomware study showed that many organizations had seized the initiative in preparing for and defending against ransomware attacks. The healthcare field may be lagging behind, as several news reports indicate.
Similar proactive aggressiveness was found with vulnerability management, listed as No. 5 in the priority list. That's according to an August 2022 CRA survey that nevertheless had many respondents reporting inefficiencies that could be improved.
Zero trust and threat intelligence are hot topics in cybersecurity, yet they were far down the list of priorities. CRA surveys in March 2022 and October 2022 found slow adoption of zero-trust technologies among respondents, many of whom had only a vague idea of the concept. The opposite may be true of threat intelligence, which is nearly ubiquitous according to a December 2022 CRA survey: 91% of respondents said they used it.
Near the end of the list was third-party risk, which only 16% of respondents put among their top three priorities. That's despite widespread awareness of the problem, as evidenced by a January 2023 CRA report.
Last among the top priorities was hiring of IT and security personnel, which only 13% of respondents placed among their top three concerns. This seems to run counter to a perceived shortage of qualified personnel, with numerous news reports of problems finding, training and budgeting for cybersecurity and IT staffers.