CyberEdge 2022 CDR Report

2022 Cyberthreat Defense Report
North America | Europe | Asia Pacific | Latin America

Middle East | Africa
<< Research Sponsors >>
PLATINUM
GOLD
SILVER
Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments
Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Research Highlights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Section 1: Current Security Posture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Past Frequency of Successful Cyberattacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Future Likelihood of Successful Cyberattacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Security Posture by IT Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Assessing IT Security Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
The IT Security Skills Shortage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Section 2: Perceptions and Concerns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Concern for Cyberthreats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Concern for Web and Mobile Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Responding to Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Barriers to Establishing Effective Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Benefits of Unified App and Data Security Defenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Hybrid Cloud Security Challenges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Boosting Careers with Cybersecurity Certifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Section 3: Current and Future Investments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
IT Security Budget Allocation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
IT Security Budget Change. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Network Security Deployment Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Endpoint Security Deployment Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Application and Data Security Deployment Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Security Management and Operations Deployment Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Identity and Access Management Deployment Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Outsourcing to Managed Security Service Providers (MSSPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Section 4: Practices and Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Security Applications Delivered via the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Practices That Support Application Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Protecting Employees Working from Home. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Emerging IT Security Technologies and Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
The Road Ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Appendix 1: Survey Demographics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Appendix 2: Research Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Appendix 3: Research Sponsors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Appendix 4: About CyberEdge Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
2022 Cyberthreat Defense Report 2

Introduction

Introduction
CyberEdge’s annual Cyberthreat Defense Report (CDR) plays a

unique role in the IT security industry. Other surveys do a great Survey Demographics
job of collecting statistics on cyberattacks and data breaches
• Responses received from 1,200 qualified IT security
and exploring the techniques of cybercriminals and other bad decision makers and practitioners
actors. Our mission is to provide deep insight into the minds of IT
• All from organizations with more than 500 employees
security professionals.
• Representing 17 countries across North America,
Now in its ninth year, the CDR has become a staple among IT Europe, Asia Pacific, the Middle East, Latin America,
security leaders and practitioners by helping them gauge their and Africa
internal practices and security investments against those of their • Representing 19 industries
counterparts across multiple countries and industries. If you
want to know what your peers in IT security are thinking and
doing, this is the place to look. 3. Among cyberthreats, ransomware and account takeover
(ATO) attacks are poised to overtake malware as the #1
CyberEdge would like to thank our Silver, Gold, and Platinum
concern. Malware is still perceived as the most important
research sponsors, whose continued support is essential to the
threat, but ATO and credential abuse attacks moved up from
success of this report.
fourth place last year to #2 this year, and ransomware is only
a tad behind. We think one or the other will take over the top
Top Five Insights for 2022 spot in the next year or two (see page 17).
As always, our latest CDR installment yields dozens of actionable
4. Pressure from ransomware rachets up once again. The
insights. But the following are the top five takeaways from this
percentage of organizations victimized by a ransomware
year’s report:
attack in the past 12 months rose 2.5% to reach a new high
1. There has been no let-up in pressure on security teams. of 71.0%. Ransom demands continued to rise, and the
While the number of organizations that experienced a percentage of organizations deciding to pay jumped from
successful cyberattack dropped a touch from 86.2% in 57.0% to 62.9%, also a record. The data also points to a “sweet
the previous survey to 85.3% in this one, the percentage spot” for ransomware gangs: organizations with 5,000 to
victimized by six or more attacks increased to a new record 25,000 employees. These are being targeted more often than
of 40.7%. And the number of respondents who think it their smaller and larger counterparts because they can afford
is somewhat or very likely that their organization will be to pay high ransoms, yet disabling them does not typically
successfully attacked in the coming year reached a new disrupt local economies or shut down essential infrastructure
record of 76.1%. and draw the attention of national governments and law
enforcement agencies (see page 21).
2. The biggest security issues for many organizations are
a persistent shortfall of skilled IT security personnel 5. Security teams are getting a handle on the new norm
and low security awareness among employees. These created by COVID-19. After scrambling to adapt to the
continue to top the list of factors that inhibit organizations disruptions caused by the pandemic, they are now well
from adequately defending themselves against cyberthreats along in deploying and managing technologies and
(see page 24). We also see a lack of security skills across a processes to build security into web and mobile applications,
wide range of job roles (page 15) and find user security make work from home (WFH) secure, and improve the
awareness to be an area where our survey respondents security and economics of networking with cloud-based
doubt their organization’s capabilities (page 13). resources (see pages 50, 52, and 54, respectively).

Introduction

Introduction
Cyberwar and the Russian Invasion of Ukraine Where do we have gaps in our cyberthreat defenses relative
to other organizations?
This report is being written during the early stages of Russia’s
invasion of Ukraine. Obviously, our survey results don’t reflect the Have we fallen behind in our defensive strategy to the point
impact of that event. However, in “The Road Ahead” section that that our organization is now the “low-hanging fruit” (i.e., likely
begins on page 56, we offer some predictions about how the to be targeted more often due to its relative weaknesses)?
invasion may affect information security and the cybersecurity Are we on track with both our approach and progress in
industry. continuing to address traditional areas of concern, while also
tackling the challenges of emerging threats?
About This Report How does our level of spending on IT security compare to
The CDR is the most geographically comprehensive, vendor- that of other organizations?
agnostic study of IT security decision makers and practitioners.
Do other IT security practitioners think differently from us
Rather than compiling cyberthreat statistics and assessing
about cyberthreats and their defenses, and should we adjust
the damage caused by data breaches, the CDR surveys the
our perspective and plans to account for these differences?
perceptions of IT security professionals, gaining insights into
how they see the world. Another important objective of the CDR is to provide developers
of IT security technologies and services with information they
Specifically, the CDR examines:
can use to better align their solutions with the concerns and
The frequency of successful cyberattacks in the prior year and requirements of potential customers. Our data can lead to better
optimism (or pessimism) about preventing further attacks in market traction and success for solution providers, along with
the coming year better cyberthreat protection technologies for all the intrepid
defenders out there.
The perceived impact of cyberthreats and the challenges
faced in mitigating their risks The findings of the CDR are divided into four sections:
The adequacy of organizations’ security postures and their
Section 1: Current Security Posture
internal security practices
Our journey into the world of cyberthreat defenses begins
The organizational factors that present the most significant with respondents’ assessments of the effectiveness of their
barriers to establishing effective cyberthreat defenses organization’s investments and strategies relative to the
The investments in security technologies already made and prevailing threat landscape. They report on the frequency of
those planned for the coming year successful cyberattacks, judge their organization’s security
posture in specific IT domains and security functions, and
The health of IT security budgets and the portion of the
provide details on the IT security skills shortage. The data will
overall IT budget they consume
help you begin to assess:
By revealing these details, we hope to help IT security decision
Whether, to what extent, and how urgently changes are
makers and practitioners gain a better understanding of how
needed in your organization
their perceptions, concerns, priorities, and defenses stack
up against those of their peers around the world. IT security Specific countermeasures that should be added to
teams can use the data, analyses, and findings to answer many supplement your existing defenses
important questions, such as:

Introduction

Introduction
Section 2: Perceptions and Concerns Navigating This Report

In this section, our exploration of cyberthreat defenses shifts We encourage you to read the CDR from cover to cover, as it’s
from establishing baseline security postures to determining chock full of useful information. But there are three other ways
the types of cyberthreats and obstacles to security that most to navigate through this report, if you are seeking out specific
concern today’s organizations. The survey respondents weigh topics of interest:
in on the most alarming cyberthreats, barriers to establishing
Table of Contents. Each item in the Table of Contents
effective defenses, and high-profile issues such as ransomware
and cloud application security. We also look at how IT security pertains to specific survey questions. Click on any item to
training and professional certification can help enterprises jump to its corresponding page.
address the serious shortfall in skilled IT security staff. These Research Highlights. The Research Highlights page
appraisals will help you think about how your organization can showcases the most significant headlines of the report. Page
best improve your cyberthreat defenses going forward. numbers are referenced with each highlight so you can
quickly learn more.
Section 3: Current and Future Investments
Navigation tabs. The tabs at the top of each page are
Your organization can ill afford to stand still when it comes to
clickable, enabling you to conveniently jump to different
maintaining effective cyberthreat defenses. Your IT security
sections of the report.
team must keep pace with changes occurring in business,
technology, and threat landscapes. This section of the survey
provides data on the direction of IT security budgets, and on
Contact Us
current and planned investments in network security, endpoint Do you have an idea for a new topic that you’d like us to address
security, application and data security, security management next year? Or would you like to learn how your organization can
and operations, and identity and access management. You will sponsor next year’s CDR? We’d love to hear from you! Drop us an
be able to compare your organization’s investment decisions email at [email protected].
against the broad sample and get a sense of what “hot”
technologies your peers are deploying.
Section 4: Practices and Strategies

Mitigating today’s cyberthreat risks takes more than investing
in the right technologies. You must ensure those technologies
are deployed optimally, configured correctly, and monitored
adequately to give your organization a fighting chance to avoid
being a front-page news story. In the final section of the survey
our respondents provide information on how they are deploying
and using leading-edge technologies and services for tasks such
as strengthening application security and protecting employees
working from home.

Introduction

Research Highlights
Current Security Posture Current and Future Investments

Six+ cyberattacks becoming common. Last year, 85.3% of Security spending solid. The percentage of overall IT
organizations experienced a successful cyberattack, while budgets allocated to security held steady at a near-record
those experiencing 6+ attacks rose to a new high of 40.7% 12.7% (page 32).
(page 7). More for most. A strong 83.2% of organizations expect to
No let-up seen. The number of respondents saying a see their IT security budget grow this year (page 34).
successful attack is likely in the coming year reached a new Network security warhorses. Five security technologies are
record of 76.1% (page 9). currently in use in at least 55% of organizations (page 36).
SaaS apps well protected. Respondents have confidence in
Endpoint security basics. Basic anti-virus is ubiquitous on
the security posture of SaaS companies, but not so much in endpoints, and EDR, DLP, and EPP are popular. Deception
their own mobile devices or APIs (page 11). technology is an intriguing newcomer (page 38).
Attack surface blues? Respondents have doubts about their
Watch those APIs! Solutions to protect APIs are the leading
organization’s ability to manage attack surfaces – and about application and data security technology, adopted in almost
user security awareness (page 13). two-thirds of organizations (page 40).
Ongoing talent drought. 84.1% of organizations can’t find
Must manage risk. In the area of security management,
enough skilled security people. If you are one, ask for a raise cyber risk management and reporting products are
(page 15)! becoming essential (page 42).
Identities at center stage. Last year, organizations increased
Perceptions and Concerns their use of nine of the 10 identity and access management
New threats rising. ATO and ransomware attacks are closing technologies we follow (page 44).
in on malware as the cyberthreats of greatest concern (page MSSPs making friends. Because of staffing shortages,
17). organizations are outsourcing more tasks to managed
PII and credentials at risk. Among web and mobile security service providers (page 46).
application attacks, PII harvesting and ATO are the most
prevalent and concerning (page 19). Practices and Strategies
Good and bad news on ransomware. Damage from
Cloud security edging ahead. The percentage of security
ransomware continues to grow, but governments and law applications and services delivered via the cloud rose 0.5%, to
enforcement agencies are finally striking back (page 21). 41.1% (page 48).
People problems persist. Yet again, the two biggest barriers
Baking security into the app. Organizations are embracing
to effective security are a lack of skilled personnel and a range of technologies to enhance application security (page
employees’ low security awareness (page 24). 50).
Integrated defenses are good for you. Respondents cite
Safe at home. To protect work from home, organizations rely
multiple benefits of unified app and data security defenses on old standbys like anti-virus solutions and VPNs and new
(page 26). approaches like SASE and ZTNA (page 52).
Hybrid cloud security challenges. Distributing apps
Security in packets and hardware. Organizations are rapidly
across data centers and cloud platforms creates significant deploying SD-WAN technology and hardware-based security
challenges for security teams (page 28). (page 54).
Cloud and software security education requested.
Security professionals see certifications, especially in cloud
and software security, as career boosters (page 30).

Introduction

Past Frequency of Successful Cyberattacks

How many times do you estimate that your organization’s global network has been compromised
by a successful cyberattack within the past 12 months?
Not once It isn’t a matter of money: IT security budgets have continued

Between 1 to grow in most places, albeit at a slightly slower rate than in
14.7% and 5 times previous years (page 24). In fact, lack of budget ranks near the
More than
10 times 44.6% bottom of the list of factors that inhibit security teams from
12.8% adequately defending against cyberthreats (page 24).
However, the typical organization’s attack surface continues

to expand, driven primarily by the effects of the COVID-19
pandemic. Security teams must work hard to protect more
27.9% employees working from home (page 52), protect more software
Between 6 and
10 times in hybrid cloud environments (page 28), and build better security
into web and mobile applications (page 19). At the same time,
security teams are facing insidious new threats. Two of the
Figure 1: Frequency of successful cyberattacks in the last 12 months.
At least one successful attack
Six or more successful attacks
86.2% 85.3%
A short summary of the cybersecurity landscape over the past
80.7%
year: gale-force winds continue. 79.2%
77.2% 78.0%
75.6%
More than six out of seven organizations (85.3%) experienced 70.5%
a successful cyberattack within the last 12 months. That’s down
a touch from the previous year’s record high of 86.2%, but 61.9%
still substantially larger than in any of the prior seven years of

this survey. The number of organizations suffering six or more
successful attacks set a new record of 40.7%. That contrasts with
only 16.2% eight years ago (see Figures 1 and 2).
39.7% 40.7%
In the course of this report, we will explore many reasons why 35.2%
32.9% 31.5%
the pressure on IT security teams has remained so strong.
27.4%
22.6% 23.8%
16.2%
“A short summary of the cybersecurity

landscape over the past year: gale-force
2014 2015 2016 2017 2018 2019 2020 2021 2022
winds continue.”
Figure 2: Percentages compromised by at least one successful attack
and by six or more successful attacks.

Introduction

blockbuster issues of the past year have been the increasing Not far behind were finance (88.2%), manufacturing (86.4%), and
popularity (for cybercriminals) of double extortion ransomware, retail (85.6%). Healthcare (75.3%) and government (68.2%) were
which not only encrypts data but also exfiltrates it to the web affected somewhat less often (see Figure 3).
(where it can be published), and vulnerabilities in the Log4j
Looking globally, the countries with the highest percentage
utility from Apache, which could potentially affect 3 billion
of organizations successfully attacked were Colombia (93.9%),
devices and applications.
Turkey (93.7%), Spain (91.8%), Mexico (90.6%), Canada (89.8%),
And the pressure can’t be relieved by hiring, since the vast and France (89.3%). The UK, Germany, and Australia were at the
majority (84.1%) of organizations are already experiencing a other end of the spectrum, with 81.4%, 72.6%, and 62.5% of
shortfall in IT security personnel (page 15). their organizations being compromised, respectively (see Figure
4). Maybe the Aussies know something. Not only was Australia
But don’t give up hope. We will also review the technologies
the only country where less than 70% of organizations were
that organizations are planning to implement in areas such
breached at least once, but only 20.9% of the organizations
as network, endpoint, application, and identity security
there reported six or more successful attacks, about half of the
(pages 36-45) and how organizations can use security training
international average.
and certifications to move junior security professionals into
more-advanced roles (page 30).
Now, back to our data about successful cyberattacks in the past year.
Of the seven major industries surveyed for this report, education Colombia 93.9%
was the most often victimized for the second year in a row Turkey 93.7%
(90.5%), followed closely by telecom and technology (90.3%). Spain 91.8%
Mexico 90.6%
Canada 89.8%
Education 90.5% France 89.3%
Brazil 88.2%
Telecom & Technology 90.3% Saudi Arabia 87.8%
Japan 87.2%
Finance 88.2%
USA 86.8%
Manufacturing China 86.0%

86.4%
Italy 85.7%
Retail 85.6% South Africa 84.0%

Singapore 82.0%
Healthcare 75.3% UK 81.4%
Germany 72.6%
Government 68.2% Australia 62.5%
Figure 3: Percentage compromised by at least one successful attack Figure 4: Percentage compromised by at least one successful attack
in the past 12 months, by industry. in the past 12 months, by country.

Introduction

Future Likelihood of Successful Cyberattacks

What is the likelihood that your organization’s network will become compromised by a successful
cyberattack in 2022?
Somewhat or very likely 75.6% 76.1% The best we can say is that the rate of increase in the combined
Very likely total has slowed to half a percentage point in this survey, after
69.3%
having jumped 2.9%, 4.1%, and 6.3% in the 2019, 2020, and 2021
65.2%
62.1% 61.5% 62.3% CDRs, respectively. We think the curve has flattened because
organizations have spent the last two years putting in place
infrastructure and processes to protect remote operations,
51.9%
home-based workers, and personal devices (i.e., devices not
managed by the IT department). Examples of such measures
include bring-your-own-device (BYOD) policies and zero trust
38.1%
network access (ZTNA) approaches to network and application
35.1% access (see pages 52 and 54). Those investments are giving
32.0% security teams greater confidence in their ability to manage the
27.2% challenges created by the COVID-19 pandemic.
20.4% 19.7% 21.2% It is interesting to note that the 76.1% of respondents indicating
16.1% that a successful attack is somewhat or very likely in the
14.0%
coming 12 months is less than the 85.3% who experienced
8.5% such an attack in the past year. In other words, at least some
security professionals who were victimized last year think their
2014 2015 2016 2017 2018 2019 2020 2021 2022 organizations are better able to defend themselves this year. Or
else they are just optimistic. A positive attitude is healthy, when
Figure 5: Percentage indicating compromise is “more likely to occur not taken to extremes. Perhaps we should all follow the example
than not” in the next 12 months.
of Benjamin Disraeli, the 19th century British prime minister, who
said: “I am prepared for the worst, but hope for the best.”
Expectations about successful cyberattacks over the coming 12
months reached a new high in this year’s survey. The number of
respondents indicating that such an attack was either “somewhat
likely” or “very likely” edged up from 75.6% to 76.1%. In addition, “Perhaps we should all follow the example of
the mix between those two views shifted for the worse. The Benjamin Disraeli, the 19th century British prime
percentage saying a successful attack was “very likely” jumped minister, who said: ‘I am prepared for the worst,
by 3.1%, to 35.1%. That is four times the number (8.5%) who
but hope for the best.’”
gave that response eight years ago when this survey started (see
Figure 5).

Introduction

When we look at expectations by country, the highest number By industry, respondents from finance are expecting the worst
of respondents predicting successful cyberattacks were in Japan (86.7%), followed by those in education (84.1%), telecom and
(87.9%), Canada (85.4%), and Singapore (84.0%). In the middle of technology (79.1%), and healthcare (76.0%). Those in retail
the pack: the United States (79.7%), Spain (76.0%), and Germany (70.4%) and manufacturing (68.9%) were more sanguine.
(74.3%). The optimists were Colombia (60.7%), Brazil (55.9%), and And as on the previous question, security professionals in the
Turkey (a mere 38.0%) (see Figure 6). government sector (54.3%) were least worried (see Figure 7).
Japan 87.8%
Finance 86.7%
Canada 85.4%
Singapore 84.0% Education 84.1%

South Africa 83.7%
UK 83.4% Telecom & Technology 79.1%

China 82.0%
Saudi Arabia 80.0%

Healthcare 76.0%
USA 79.7%
Retail 70.4%
Spain 76.0%
Germany 74.3%
Manufacturing 68.9%
Italy 74.0%
Australia 74.0%
Government 54.3%
France 70.8%
Mexico 63.6% Figure 7: Percentage indicating compromise is “more likely to occur

than not” in the next 12 months, by industry.
Colombia 60.7%
Brazil 55.9%
Turkey 38.0%
Figure 6: Percentage indicating compromise is “more likely to occur

than not” in the next 12 months, by country.

Introduction

Security Posture by IT Domain

On a scale of 1 to 5, with 5 being highest, rate your organization’s overall security posture
(ability to defend against cyberthreats) in each of the following IT components:
Cloud applications (SaaS) 4.13
Servers (physical and virtual) 4.12
Datastores (file servers, databases, SANs) 4.11
Laptops / notebooks 4.11

Websites and web appliations 4.09
Application Containers 4.09
Cloud infrastructure (IaaS, PaaS) 4.08

Desktops (PCs) 4.04
Network perimeter / DMZ (public web servers) 4.04
Application program interfaces (APIs) 4.02
Internet of Things (IoT) 4.01
Industrial control systems (ICS) / SCADA devices 4.0
Mobile devices (smartphones, tablets) 3.98
Figure 8: Perceived security posture by IT domain.
Each year we try to gauge how security professionals feel about This year respondents chose software as a service (SaaS) cloud
their ability to defend against cyberthreats across different types applications as the area where they are most comfortable about
of systems, technologies, and environments. This information their organization’s security posture. SaaS moved up from third
gives us a picture of the IT domains where they are most position in the previous two surveys. Clearly, SaaS vendors have
confident, and those that are creating the most headaches (see done a good job of staying on top of security issues (or at least
Figure 8). are perceived that way by their customers).

Introduction

Respondents are also confident about physical and virtual

servers, as well as datastores such as file servers, databases, and
“Laptops and notebooks joined the top tier,
SANs. These are always at or near the top of the list because they
are mostly located in data centers under the direct observation in fourth position, moving up from eighth in the
and control of operations and security staffs. previous survey… We believe this reflects the
Laptops and notebooks joined the top tier, in fourth position, attention and effort over the past two years that
moving up from eighth in the previous survey. In fact, this area has gone into better protection for remote
had the largest year-to-year increase in security posture ratings,
and home workers.”
from 4.01 last time (on a scale of 1 to 5) to 4.11 in this one. We
believe this reflects all the attention and effort over the past
two years that has gone into better protection for remote and
home workers in response to COVID-19. On page 52 we discuss
technologies and architectures that are enabling employees to Application programming interfaces (APIs), which were in the
securely work from home. middle of the pack last year, have now emerged as fourth-
highest area of concern. As organizations move to modular
The IT domain that most concerns respondents is mobile devices
services-based cloud applications, APIs become more tempting
such as smartphones and tablets. A big part of the problem is
targets for threat actors. Protecting APIs is likely to become an
that COVID has increased the business use of mobile devices
even bigger issue over the next few years. We will have more to
owned by employees. These cannot easily be updated, locked
say about this later in this report (pages 40 and 59).
down, or even monitored by their employers, and are therefore
less defended and more vulnerable to attacks. A multi-sponsor One final observation: the security posture ratings increased
survey report published by CyberEdge in 2020, “The Impact of from last year in every single category. This fact shows that
COVID-19 on Enterprise IT Security Teams Report,” showed a organizations are feeling a little bit better about the defenses
nearly 60% leap in the number of organizations implementing they have in place to stop cyberthreats. Perhaps this is an early
BYOD policies in response to the new pandemic reality. Clearly, sign that security teams are finally catching up with threat actors
IT security teams continue to be nervous about securing in their ongoing arms race.
employee-owned mobile devices.
The next two greatest areas of concern are “manufacturing and

operational technology (OT),” which includes categories such
as industrial control system (ICS) and supervisory control and
data acquisition (SCADA) systems, and devices that make up
the emerging internet of things (IoT). These are areas with large
numbers of devices that were never designed with security
in mind. They are also being targeted by state-sponsored and
criminal hacking groups, with a few well-publicized incidents
related to international conflicts and blackmail.

Introduction

Assessing IT Security Functions

On a scale of 1 to 5, with 5 being highest, rate the adequacy of your organization’s capabilities
(people and processes) in each of the following functional areas of IT security:
Governance, risk and compliance (GRC) 4.14
Identity and access management (IAM) 4.14
Detection of advanced / sophisticated threats 4.13

Application development and
testing (SDLC, DevSecOps) 4.12
Incident investigation and response 4.12
Security engineering / architecture and design 4.11
Brand protection 4.11
Cyber risk quantification and reporting 4.10
Detection of rogue insiders / insider attacks 4.09
Third-party risk management (TPRM) 4.07
User security awareness / education 4.6

Attack surface reduction
4.03
(patch management, pen testing)
Figure 9: Perceived adequacy of functional security capabilities.
This question asks respondents to rate the adequacy of their Organizations remain most positive about their capabilities for
organization’s capabilities in different functional areas of governance, risk and compliance (GRC) and identity and access
IT security. The answers show us perceived strengths and management (IAM). These are followed closely by detection of
weaknesses in security-related processes and programs (see advanced threats and application development and testing,
Figure 9). two areas where many organizations have made considerable
investments in the past couple of years.

Introduction

However, respondents were somewhat less upbeat about their

organization’s processes for security engineering, architecture,
“The area of greatest concern is attack
and design. That function was at the top of the list in the
previous survey, but fell to sixth place in this one. surface reduction... Attack surfaces have been
expanding... Finding and fixing vulnerabilities
The area of greatest concern is attack surface reduction, which
includes disciplines such as patch management, vulnerability across all these areas will continue to be a
management, penetration testing, and security configuration growing challenge for the foreseeable future.”
management. Attack surfaces have been expanding as workers
use more mobile and personal devices in less-protected settings,
and access applications hosted in a greater variety of cloud
environments. Finding and fixing vulnerabilities across all these
areas will be a growing challenge for the foreseeable future. We introduced a new functional area in this year’s survey: cyber
risk quantification and reporting. We see many organizations
User security awareness and education is another significant
devoting more time and resources to these activities recently.
challenge. Threat actors continue to develop ingenious phishing
This trend is driven in a large part by the need to justify security
and social engineering campaigns to acquire valid credentials,
investments to top executives and boards of directors, and to
plant malware, and otherwise leverage human weaknesses to
show progress toward security program goals. The data shows
further their malicious activities. As we will see on page 24, low
this area falling in the middle range as far as adequacy of
security awareness among employees is now the second-most
capabilities.
serious barrier to establishing effective defenses against
cyberthreats (after a lack of skilled security personnel). We should note that our survey was conducted in November
2021, just before the Log4j security vulnerabilities came to light.
Another problematic functional area is third-party risk
Undoubtedly, concerns about functions like attack surface
management (TPRM). It is very difficult to monitor, much less
reduction and application testing have intensified considerably
improve, the security practices of suppliers and other third
since then.
parties that have access to an organization’s applications and
data. The press continues to report major data breaches that
originate from credentials and PII captured from third parties and
from vulnerabilities and misconfiguration in vendors’ software
and systems.

Introduction

The IT Security Skills Shortage

Select the roles/areas for which your organization is currently experiencing a shortfall of skilled
IT security personnel. (Select all that apply.)
2022 2021 A shortage of experienced IT security personnel has been a

serious problem for the great majority of organizations for at
40.5% least the past five years. As shown on page 24, it is the single
IT security administrator
40.4% most serious barrier to establishing effective defenses against
IT security analyst /
cyberthreats.
33.2%
operator / incident
responder 35.0% Just like last year, the greatest unfilled demand is for security
administrators, who have the critical job of installing, configuring,
IT security architect / 32.4% and maintaining security tools and infrastructure. Four out of
engineer 32.6% 10 organizations (40.1%) can’t find enough (see Figure 10).
28.6%
One in three organizations can’t find enough IT security analysts,
IT security /
compliance auditor 29.8%
operators, or incident responders (33.2%). The shortfall was
slightly less than in the previous survey, when it was 35.0%.
28.5% Almost one-third of organizations are short of IT security
Application security tester
26.4% architects and engineers (32.4%), essentially the same as a
year ago.
28.0%
DevSecOps engineer Rounding out the roles were application security testers (28.5%),
25.7%
DevSecOps engineers (28.0%), and risk and fraud analysts
(24.0%). The deficit of application security testers and DevSecOps
24.0%
Risk/fraud analyst engineers worsened from the previous survey, probably the
25.9%
result of a turn toward building security into applications rather
Figure 10: Cybersecurity skills shortage, by role. than relying entirely on perimeter defenses.

Introduction

87.0% Of the major industries, the highest percentage of organizations

84.2% 84.8% 84.1% with staffing issues were in education (91.1%), healthcare
80.9% (88.0%), retail (86.7%), finance (86.7%), and telecom and
technology (85.4%). Government (81.6%) and manufacturing
(78.7%) are in slightly less dire straits (see Figure 12).
“Surprisingly, the percentage [experiencing

2018 2019 2020 2021 2022
a shortfall] fell somewhat... However, that
Figure 11: Percent of organizations experiencing a shortfall of skilled
IT security personnel. lower number still represents more than
five out of six organizations.”
Figure 11 shows the percentage of organizations suffering from

a shortfall of skilled IT security personnel in at least one role
over the last five years. The trend is clearly upward, although
surprisingly, the percentage fell somewhat in this survey, from Education 91.1%
87.0% to 84.1%. However, that lower number is comparable to
the percentages in the two previous years, and still represents Healthcare 88.0%
more than five out of six organizations. Also, in some countries
90% or more of organizations couldn’t fill jobs in at least one Retail 87.5%
category: South Africa (90%), Colombia (90.9%), China (93.9%),
Singapore (94.0%), and Japan (100% !!!).
Finance 86.7%
One explanation for this year’s leveling off is that more
organizations are turning to managed security services providers Telecom & Technology 85.4%
(MSSPs) to outsource one or more security tasks. Statistics about
the usage of MSSPs are shown on page 46. Government 81.6%
Manufacturing 78.7%
Figure 12: Percentage of organizations experiencing a shortfall

of skilled IT security personnel, by industry.

Introduction

Section 2: Perceptions and Concerns
Concern for Cyberthreats

On a scale of 1 to 5, with 5 being highest, rate your overall concern for each of the following
types of cyberthreats targeting your organization.
Malware (viruses, worms, Trojans) 4.01
Account takeover / credential abuse attacks 3.97
Ransomware 3.96
Phishing / spear-phishing attacks 3.93

Attacks on brand and reputation
in social media and on the web 3.86
Advanced persistent threats (APTs) / targeted attacks 3.85
Denial of service (DoS/DDoS) attacks 3.85
SSL-encrypted threats 3.84

Web application attacks
3.83
(SQL injections, cross-site scripting)
Insider threats / data exfiltration by employees 3.83
Zero-day attacks (against publicly 3.82
unknown vulnerabilities)
Drive-by downloads / watering-hole attacks 3.78
Figure 13: Relative concern for cyberthreats, by type.
What types of threats are keeping security professionals up The surprise in this data is that account takeover (ATO) and
at night? For the seventh year in a row, malware tops the list credential abuse attacks (which include credential stuffing)
(see Figure 13). That’s not remarkable, since malware is a key moved up from fourth place last year to second place in
component of most digital skimming, ransomware, phishing, this survey, slightly ahead of ransomware (!) and just behind
and targeted attacks, among others, and threat actors continue malware. In fact, the average concern rating for this type of
to come up with new techniques that allow malware to evade attack increased the most of any of the 12 categories on this list,
detection. rising .08 from 3.89 to 3.97 (on a scale of 1 to 5). The increase was
driven by an upsurge in concern among finance and financial
services companies, and to a lesser extent among manufacturing
and telecom and technology companies.

Introduction

Of course, ransomware is also near the top of the list, in third Respondents were least concerned about zero-day attacks,
position and just a tad behind ATO attacks. The average concern drive-by downloads, and watering hole attacks. However, as we
rating for ransomware increased .04 from last year, also a pretty mentioned earlier, the survey was conducted before the Log4j
big one-year jump. Clearly this was fueled by increased coverage story broke. As a result of that vulnerability, zero-day attacks may
of ransomware attacks in the press (e.g., Colonial Pipeline), move up a bit in next year’s report.
demands for larger ransom payments, and the emergence of
Every year we average the ratings across all categories to create
“double extortion ransomware attacks” (see page 21).
a “Threat Concern Index” (see Figure 14). That index remains at
In fact, based on current trends, we expect the level of concern a record high of 3.88. As we mentioned earlier, gale-force winds
about account takeover and ransomware attacks to pull even continue to blow in the world of cybersecurity.
with or pass malware on this list in the next year or two.
We also want to note the rising anxiety about attacks on brand

and reputation in social media and on the web. The concern 3.88 3.88
rating for that category rose .07, the second-largest increase this 3.79
3.75
3.71
year, lifting it from 11th to 5th position on the list. We believe
3.61
the increase is due both to more activity by threat actors (such 3.54 3.52
as typosquatting and hijacking social media accounts) and the
recognition that this issue belongs to IT security teams as well as
marketing and social media groups within the enterprise. 3.26
“Based on current trends, we expect the

level of concern about account takeover
and ransomware attacks to pull even or pass
malware on this list in the next year or two.”
2014 2015 2016 2017 2018 2019 2020 2021 2022
Figure 14: Threat Concern Index, depicting overall concern for cyberthreats.

Introduction

Concern for Web and Mobile Attacks

Which of the following attacks on your web and mobile applications are most concerning? (Select up to three.)
Personally identifiable information 46.6%

(PII) harvesting
Account takeover / 45.5%

credential stuffing attacks
Carding / payment fraud attacks 39.6%
Digital skimming / Magecart attacks 33.2%
Denial of inventory attacks 24.6%
Hoarding attacks 20.4%
Figure 15: Most-concerning web and mobile application attacks.
In this question we drill down into worries about threats to web

and mobile applications. From a list of six types of web and
“The number of work-from-home employees
mobile application attacks, we asked respondents to select up to
three that concern them the most (see Figure 15). continues to rise... creating more targets for
The percentage of concerned respondents increased in all four
cybercriminals and more incentives to perfect
of the categories that were repeated from last year (the top their tactics, techniques, and procedures.”
four shown in Figure 15). Why? The number of work-from-home
employees continues to rise, as well as the number of study-
at-home students, creating more targets for cybercriminals
and more incentives to perfect their tactics, techniques, and
procedures.

Introduction

This year, harvesting of personally identifiable information (PII) Not affected

rose to the top of the list, edging out ATO and credential stuffing
9.7%
attacks. The number of respondents concerned about these
attacks jumped almost 7% percent from last year, from 39.7%
to 46.6%. PII harvesting often involves hiding code in JavaScript
that captures financial and personal data, including credentials
from forms on users’ browsers. The data and credentials are
sent to a server controlled by threat actors, who can use them
to access user accounts, strengthen phishing attacks, steal 90.3% Affected
identities, and perform other malicious activities. In our survey,
more than half of all respondents in education, aerospace and
defense, finance, entertainment, and healthcare were particularly
worried about PII harvesting.
Figure 16: Organizations affected by a web or mobile application attack.
The share of organizations concerned about ATO and credential
stuffing attacks also increased from the previous survey, from
43.7% to 45.5%. Next in line are carding and payment fraud
attacks (39.6%) and digital skimming and Magecart attacks
Spain 98.0%
(33.2%). Less common, but still affecting a significant number
of organizations, are denial of inventory attacks (24.6%) and China 98.0%
hoarding attacks (20.4%). Japan 95.9%

Canada 94.0%
The vast majority of organizations in this survey are concerned
about attacks on web and mobile applications. Nine out of 10 Colombia 93.9%
respondents (90.3%) indicated concerns about one or more of Italy 92.0%

the attacks on the list (see Figure 16). Saudi Arabia 92.0%
The numbers were particularly high in Spain (98.0%), China (also Singapore 92.0%
98.0%), and Japan (95.6%) (see Figure 17). The lowest levels of Turkey 91.8%
concern (that is, relatively lowest, although still very high) were Brazil 91.2%
reported in the United States (87.6%), Germany (86.3%), and Mexico 90.9%
Australia (84.8%).
France 90.5%
South Africa 89.8%
UK 88.0%
USA 87.6%
Germany 86.3%
Australia 84.8%
Figure 17: Organizations affected by a web or mobile application

attack, by country.

Introduction

Responding to Ransomware
If victimized by ransomware in the past 12 months, did your organization pay a ransom
(using Bitcoins or other anonymous currency) to recover data?
2021 saw a lot of big developments in the ransomware industry 71.0%

(and yes, today ransomware is an industry, with hundreds 68.5%
of millions of dollars in revenue and large, highly structured
organizations). Some of the more noteworthy: 62.4%
Very high-visibility attacks affected hundreds or thousands of 56.1%

55.1%
people, including attacks on the Colonial Pipeline (which cut
off fuel delivery to 10,000 gas stations in the eastern United
States), the giant meatpacker JBS (which created shortages
of meat products in several US states), and Ireland’s Health
Service Executive (which disrupted healthcare services across 2018 2019 2020 2021 2022
Ireland).
Figure 18: Percentage of organizations affected by ransomware.
“Double extortion” ransomware attacks emerged as a major
threat type; now ransomware gangs exfiltrate a copy of data
before encrypting it, then threaten victims with exposure of of punishment. In addition, more bad actors can participate by
sensitive information as well as data loss. leveraging the growing number of “ransomware-as-a-service”
businesses that provide infrastructure to launch and manage
The average size of ransomware payments increased
ransomware attacks.
significantly.
The percentage of organizations that paid ransoms also
National governments and international agencies finally
increased substantially, from 57.0% in our last survey to 62.9%
started to crack down on major ransomware gangs (notably
now (see the middle section of Figure 20). This rise reflects
Russia’s takedown of the REvil organization) and to push
several trends, including added pressure from data exfiltration
government and commercial organizations to harden their
and the threat of data exposure.
environments, disclose more information about attacks, and
work closely with law enforcement groups. Another factor is a cycle we have described in previous reports:
ransomware gangs have noted that when they are conscientious
What data do we have about ransomware attacks?
about helping victims recover their data, other victims are more
The percentage of companies victimized by a ransomware likely to pay ransoms, which increases the profits of the gangs
attack in the past 12 months set a new record (see Figure 18). and creates a greater incentive to launch more campaigns. Our
That figure rose from 55.1% in our 2018 report, to 62.4% two data shows this cycle in action (see Figure 20). Over the past two
years ago, to 68.5% last year, to 71.0% now. Threat actors years the percentage of ransom payers who recovered their data
continue to expand their activities, and no wonder: for most rose 3.4% from 68.8% to 72.2%, creating a tendency for more
of them ransomware campaigns represent “easy money,” with victimized companies to pay ransoms, up 5.4% over two years,
rising revenue from each attack (see Figure 19) and little chance and leading to more attacks, up 8.6% during the same period.

Introduction

$322,168
$233,817
$220,298
$178,254 $154,108
$136,571 $139,739
$111,605
$84,116
$36,295
$41,198
$12,762
Q1'19 Q2'19 Q3'19 Q4'19 Q1'20 Q2'20 Q3'20 Q4'20 Q1'21 Q2'21 Q3'21 Q4'21
Figure 19: Average ransom payments, by quarter (data source: Coveware Quarterly Ransomware Reports).
Ransom Payers Victimized Organizations Organizations Affected

That Recovered Data That Paid Ransoms by Ransomware
71.6% 72.2% 71.0%

66.8% 68.5%
61.2% 62.9% 62.4%
57.7% 57.0% 56.1%
45.0%
2019 2020 2021 2022 2019 2020 2021 2022 2019 2020 2021 2022
Figure 20: The ransomware vicious cycle: increased odds of recovering data … entice more victims to pay ransoms … which motivates more
ransomware attacks.
Figure 21 provides more evidence that ransomware medium-large and large organizations, with 5,000-9,999 and
gangs operate like profit-maximizing businesspeople who 10,000-24,999 employees, respectively, are most likely to be
rationally assess opportunities and risks. Our data shows that victimized by ransomware (73.5% and 74.7%, respectively).

Introduction

Why would these entities be targeted more often than to pay higher ransoms. But then why would enterprises with
organizations with 500-999 employees, victimized at a rate of more than 25,000 employees, which presumably could afford
70.4%, and those with 1,000-4,999 workers, of which 69.6% were the largest payments, be victimized at the (relatively) low rate
hit? Because the medium and large organizations can afford of 67.0%? As the ransomware gangs acknowledged publicly,
taking out a big piece of someone’s economy or shutting down
essential infrastructure is bad for business because it attracts
500 – 999 70.4%
too much attention from national governments and law
enforcement agencies.
1,000 – 4,999 69.6% Finance (80.6%), telecom and technology (74.0%), and education
(73.3%) were the worst-hit industries (see Figure 22). The least
affected were healthcare (57.9%) and government (45.8%).
5,000 – 9,999 73.5%
As shown in Figure 23, a shocking nine out of 10 organizations
(89.6%) in China suffered ransomware attacks, followed by South
Africa (89.6%) and the United States (81.6%). At the light end
10,000 – 24,999 74.7%
of the scale were Japan (60.4%), Germany (60.0%), Colombia
(53.1%), Mexico (45.5%), and Turkey (44.9%).
More than 25,000 67.0%

China 89.6%
South Africa 82.0%

Figure 21: Percentage of organizations affected by ransomware in the
last 12 months, by employee count. USA 81.6%
Singapore 78.0%
Saudi Arabia 77.6%

Finance 80.6% UK 73.0%
Spain 69.4%
Telecom & Technology 74.0% France 64.9%
Italy 64.0%
Education 73.3%
Canada 63.3%
Australia 63.0%
Retail 66.7%
Brazil 61.8%
Manufacturing 64.8% Japan 60.4%

Germany 60.0%
Healthcare 57.9% Colombia 53.1%
Mexico 45.5%
Government 45.8% Turkey 44.9%
Figure 22: Percentage of organizations affected by ransomware in the Figure 23: Percentage of organizations affected by ransomware in the
last 12 months, by industry. last 12 months, by country.

Introduction

Barriers to Establishing Effective Defenses

On a scale of 1 to 5, with 5 being highest, rate how each of the following inhibit your organization
from adequately defending itself against cyberthreats.
Lack of skilled personnel 3.74
Low security awareness among employees 3.72

Poor integration/interoperability
3.66
between security solutions
Lack of management support/awareness 3.65
Too much data to analyze 3.64

Poor/insufficient automation of threat
detection and response processes 3.63
Lack of contextual information from security tools 3.62
Too many false positives 3.58
Lack of effective solutions available in the market 3.58
Lack of budget 3.55
Figure 24: Inhibitors to establishing effective cyberthreat defenses.
Agile software development teams hold daily “standup” For the third year running, the top two impediments have been
meetings where each person briefly answers three questions: lack of skilled personnel and low security awareness among
employees (see Figure 24).
1. What did you do yesterday?
2. What will you do today?
3. What impediments are blocking your progress?
Most of this report explores the answers security professionals

“For the third year running, the top
give about their current practices and their plans for the coming two impediments have been lack of skilled
12 months. This question focuses on the equally important third personnel and low security awareness
query: what is inhibiting your organization from adequately
among employees.”
defending itself against cyberthreats? And by implication, what
could be changed to make you more successful?

Introduction

3.65 3.64 Low security awareness among employees is the second-

3.53 highest impediment to security. Coincidentally (or perhaps
3.41
not), Figure 9 on page 13 shows that user security awareness
3.37
is the IT security function with the second-to-lowest rating for
3.19
adequate organizational capabilities. Threat actors continue to
3.18
see employees as the weakest link in defenses, susceptible to
2.99 phishing campaigns, social engineering attacks, business email
2.94
compromise (BEC) attacks, and other techniques that play on
human (rather than technical) weaknesses. Deep fakes and the
availability of personal details on social media are likely to make
it even easier to hoodwink employees. A few organizations
have begun to take aggressive measures to improve security
awareness, such as ongoing security training and simulated
phishing and social engineering attacks, but clearly not enough
is being done to educate employees.
The next tier of issues are poor integration and interoperability

2014 2015 2016 2017 2018 2019 2020 2021 2022 between security solutions, lack of management support, and
too much data to analyze.
Figure 25: Security Concern Index, depicting the average rating
of security inhibitors. The inhibitors at the bottom of the list? Lack of effective solutions
available in the market and lack of budget. New security
technologies continue to come onstream, and organizations are
As we saw on page 15, five out of six organizations have not willing to pay for them. The constraint is finding enough people
been able to recruit enough skilled IT security personnel. And with the right skills to evaluate, deploy, integrate, and manage
we know that COVID-19 has put additional strain on existing them.
professionals in the field. They have to defend an ever-expanding
attack surface, and today many do so from home, without We have averaged the ratings across all categories to create a
the resources of a physical operations center. This question “Security Concern Index” (see Figure 25). That index remains at a
highlights the impact of those factors. Not only is lack of skilled near-peak level of 3.64. While some inhibitors have become less
personnel the #1 inhibitor to effective cyberthreat defenses, irksome than in previous years, others have become even more
but the average rating for this issue increased by .04 from last problematic.
year, more than any other item on this list. Our hats are off to the
dedicated professionals who have stepped up their workloads
despite disruption to their personal lives.

Introduction

Benefits of Unified App and Data Security Defenses

Which of the following have been the biggest benefits of leveraging a unified platform for application and
data security defenses (e.g., WAF, DDoS protection, RASP, API security, data risk analytics, database security)?
(Select up to three.)
Improved cloud security posture 55.5%
Enhanced security incident investigations 48.4%
Improved customer support experience 45.8%
Simplified security rules management 43.6%
Fewer third-party integrations to manage 32.9%
Figure 26: Benefits achieved by unifying application and data security defenses.
When it comes to sourcing related technologies, security In this question we asked respondents about the benefits of
professionals are often faced with a choice between a leveraging a unified platform for application and data security
multiple-source, best-of-breed approach and a single-source, defenses (see Figure 26).
integrated solution approach. The former offers the widest
Of the organizations that have implemented this type of
choice of features across the different areas, but usually
integrated platform, more than half cite the overall benefit of
involves extra costs and hassles related to integration (or lack
an improved cloud security posture, and nearly half identified
of it), incompatible management and reporting tools, and the
enhanced security incident investigations. An integrated solution
complexity of working with more vendors.
gives security professionals confidence that the different
technologies work together and that information won’t fall
through the cracks between them.

Introduction

Respondents also highlighted an improved customer support

experience and simplified security rules management. These
“The fact that all five benefits were cited by at
are functions of better information sharing and working with
a single, consistent set of security policies. Roughly one-third least 30 percent of the respondents indicates
of the respondents also pointed to easier management of that a unified platform for application and data
third-party integrations as a major benefit.
security is one of those areas in cybersecurity
The fact that all five benefits were cited by at least 30 percent of where integration and single-vendor sourcing
the respondents indicates that a unified platform for application
just make sense.”
and data security is one of those areas in cybersecurity where
integration and single-vendor sourcing just make sense.

Introduction

Hybrid Cloud Security Challenges

Which of the following hybrid cloud security challenges are most concerning? (Select up to three.)
Detecting unauthorized application usage

(i.e., shadow IT), including torrent and 46.4%
crypto-mining
Detecting and responding to cyberthreats 45.3%
Accessing and inspecting 40.0%

multi-cloud traffic
Accessing and inspecting container traffic 32.5%
Maintaining regulatory compliance 30.7%
Meeting internal service level 30.0%

objectives (SLOs)
Figure 27: Most concerning hybrid cloud security challenges.
When organizations transition applications to cloud platforms, We added a question to our survey this year to get a handle on the
they don’t have to worry about managing the underlying challenges created by hybrid cloud environments (see Figure 27).
infrastructure. The move can even simplify security – if an
The top two issues selected by the respondents were detecting
organization does all of its work on one platform. But in reality,
unauthorized application usage (46.4%) and detecting and
the vast majority of organizations do some of their work on each
responding to cyberthreats (45.3%). While every server type and
of several platforms. These include physical and virtual servers in
platform has tools for detecting issues and alerting on incidents,
their own data centers, in private clouds, and in multiple public
there is no standardization and little or no out-of-the-box
cloud services such as Amazon Web Services (AWS), Microsoft
integration. Security professionals are left with the soul-crushing
Azure, Google Cloud Platform, Alibaba Cloud, and IBM Cloud.
work of collecting and analyzing inconsistent data, filtering out
duplicates and false negatives, responding using multiple tools, etc.

Introduction

The third- and fourth-place challenges are accessing and inspecting Coming just behind, but still important to almost a third of the
multi-cloud traffic (40.0%) and accessing and inspecting container respondents, are challenges related to maintaining regulatory
traffic (32.5%). These two are also related to inconsistent data compliance (30.7%) and meeting internal service level objectives
across environments and the need for multiple tools, sometimes (30.0%).
compounded by the need to manage multiple permissions and
How many organizations in fact face these challenges? A lot. A
credentials to access different systems and platforms.
full 96% of the respondents in our survey indicated that they are
dealing with a hybrid cloud environment.
“Security professionals are left with the

soul-crushing work of collecting and analyzing
inconsistent data, filtering out duplicates
and false negatives, responding using
multiple tools, etc.”

Introduction

Boosting Careers with Cybersecurity Certifications

Based on your organization’s current climate, which of the following types of cybersecurity certifications
do you believe would be most beneficial to your career path? (Select up to three.)
Cloud security 55.3%
Software security 53.2%
Security administration 43.9%
Fundamental skills 22.6%

& knowledge
Leadership & operations 21.9%
Engineering 18.7%
Authorization 18.6%
Architecture 16.5%
Figure 28: Types of specialty cybersecurity professional certifications deemed most beneficial to IT security career paths.
For knowledge workers, continuing education is essential The top two choices, both selected by more than half of the
for getting and keeping good jobs. At least, that is the respondents, are certifications for cloud security (55.3%) and
overwhelming opinion of the respondents to our survey. Except for software security (53.2%). These are both growth areas. As
for a few holdouts (1% of the sample - probably people already enterprises migrate more and more application processing to
planning their retirement party), virtually all respondents said cloud platforms, demand for cloud security expertise is likely
that at least one cybersecurity certification would be beneficial to grow and grow. Similarly, many organizations are working
for their career (see Figure 28). on building security into their applications (as opposed to
detecting evidence of attacks and compromises after they are
in production). People who understand application security and
DevSecOps practices don’t have to worry about job security.

Introduction

The next most beneficial certification is for security administration In fact, interest in all three of these certifications took big jumps
(43.9%). Security administrators are the backbone of many security from last year to this one: up 4.1% for cloud security, 3.2% for
teams, where they install, configure, and maintain security tools software security, and 5.6% for security administration.
and infrastructure. As shown in Figure 10 on page 15, there are
The next two types of certification are of most interest to people
more vacancies for security administrators than for any other
making career moves. Fundamental skills and knowledge (22.6%)
security role.
helps people entering IT security or eager to fill gaps in their
basic knowledge of the field, while leadership and operations
(21.9%) is for security professionals who want to move into
security management roles.
“Demand for cloud security expertise is likely
to grow and grow... People who understand Rounding out the field are certifications for three specialized
areas: security engineering (18.7%), authorization (18.6%), and
application security and DevSecOps practices
architecture (16.5%).
don’t have to worry about job security.”

Introduction

IT Security Budget Allocation

What percentage of your employer’s IT budget is allocated to information security
(e.g., products, services, personnel)?
12.8% Brazil 15.6%

12.7% 12.7%
Turkey 15.3%
12.5% Saudi Arabia 15.0%
Colombia 14.4%
USA 13.7%
12.1%
China 13.6%
Mexico 13.3%
South Africa 13.1%
Spain 11.9%
2018 2019 2020 2021 2022
Mean Mean Mean Mean Mean Canada 11.9%
Italy 11.6%
Figure 29: Percentage of IT budget allocated to information security,
by year. Singapore 11.4%
UK 11.3%
For the last five years we have asked respondents what Japan 11.2%
percentage of their organization’s overall IT budget is allocated
Australia 10.9%
to information security. After rapid growth between the 2018
Germany 10.8%
and 2020 surveys, the amount has leveled off in the 12.7% to
12.8% range (see Figure 29). France 10.7%
Why has the curve flattened out, when dangerous threats Figure 30: Percentage of IT budget allocated to security, by country.
continue to emerge and cybersecurity has become more
visible to top management and boards of directors? And when
3. More organizations are outsourcing security tasks that used
the COVID-19 pandemic has placed more stress on security
to be performed in their data centers to cloud platform
processes and staffs? We think four factors are at work:
providers and MSSPs (see page 46).
1. Many of the expenses required to support the wave of new
4. Some organizations are “sidesourcing” security activities (we are
remote workers created by COVID-19 involved non-security
coining a new term here, meaning delegating tasks to other
items such as more laptops and mobile devices, more
groups in the same enterprise) by training software developers
network capacity, and additional help desk support.
to build security into their code and end users to recognize and
2. As shown on Figure 24 on page 24, the gating factor in report phishing, social engineering, and other attacks.
providing better security is finding personnel with security
skills, not budget; it doesn’t make sense to throw more
money at security if you don’t have the people to deploy and
use new technologies or equipment.

Introduction

Turning to the global picture, three countries allocate 15% or

more of IT budgets to security: Brazil (15.6%), Turkey (15.3%),
“Why has the curve flattened out, when
and Saudi Arabia (15.0%). Also towards the high end of the scale
dangerous threats continue to emerge and are the United States (13.7%) and China (13.6%). Three countries
cybersecurity has become more visible...? allocate less than 11%: Australia (10.9%), Germany (10.8%), and
France (10.7%) (see Figure 30).
We think four factors are at work.”
Among major industries, the largest allocations are from telecom
and technology and finance (both 13.3%), while the lowest are
from education (10.7%) and government (10.6%) (see Figure 31).
These factors lead organizations to invest more in security, but
From a size perspective, the smallest organizations (500-999
the additional spending doesn’t show up in the security group’s
employees) and the largest (10,000-24,999 and more than
budget.
25,000) allocate 13% or more. Mid-sized organizations spend
We welcome the fact that security no longer takes bigger bites slightly less: 12.7% for organizations with 1,000-4,999 employees,
out of the IT budget. Some might want to see growth in the and 11.9% for those with 5,000-9,999 (see Figure 32).
relative size of the security “empire,” but that growth is not
sustainable in the long term.
Telecom & Technology 13.3%

500 – 999 13.4%
Finance 13.3%
1,000 – 4,999 12.7%

Retail 12.8%
Manufacturing 12.6% 5,000 – 9,999 11.9%
Healthcare 11.9%
10,000 – 24,999 13.0%
Education 10.7%
Government 10.6% More than 25,000 13.1%
Figure 31: Percentage of IT budget allocated to security, by industry. Figure 32: Percentage of IT budget allocated to security, by
employee count.

Introduction

IT Security Budget Change

Do you expect your employer’s overall IT security budget to increase or decrease in 2022?
85.4% On a country-by-country basis, respondents from Brazil and

83.5% 83.2%
78.7% Turkey are expecting the largest budget increases, 6.7% and
76.0% 77.8%
6.5%, respectively (see Figure 35). Interestingly, they also report
the largest allocations of their organization’s IT budgets this year
(see Figure 30 on page 32). The smallest increases are forecast for
the United Kingdom (3.8%), Italy (3.7%), Canada (also 3.7%), and
Germany (3.2%).
Respondents from five of the seven major industries are expecting

increases of around 5% (see Figure 36). They are: manufacturing
(5.3%), telecom and technology (4.9%), finance (also 4.9%), retail
(4.8%), and education (4.7%). But the projected increases are
below 4% for government (3.9%) and healthcare (3.6%).
The expected increases for small, medium, and large organizations

2017 2018 2019 2020 2021 2022 all fall within a band of 4.2% to 5.5% (see Figure 37).
Figure 33: Percentage of organizations with rising security budgets.
The previous question examined security spending as a 4.9% 5.0%

4.7% 4.6%
percentage of the overall IT budget. This question looks at
whether security spending is rising or falling in absolute terms.
4.0%
It’s mostly rising (see Figure 33). Of the organizations in the
survey, 83.2% are predicting a budget increase this year (versus
7.1% that are predicting a decline and 9.7% that expect their
budget to stay about the same). Those statistics are pretty
2018 2019 2020 2021 2022
consistent with results from the past few years, with the
exception of 2021, when the COVID-19 pandemic prevented Figure 34: Mean annual increase in IT security budgets.
budget increases in slightly more organizations than usual.
The average increase in security budgets has been fairly steady,

ranging between 4.0% and 5.0% for the past five years (see
Figure 34). The average expectation is for budgets to rise a
healthy 4.6% this year. If you work in cybersecurity, ask for a raise!

Introduction

Brazil 6.7%
Manufacturing 5.1%
Turkey 6.5%
South Africa 5.8% Telecom & Technology 4.9%

Australia 5.4%
Mexico 5.1% Finance 4.9%

France 5.0%
China 4.9%
Retail 4.8%
Colombia 4.8%
Education 4.7%
USA 4.7%
Singapore 4.6%
Government 3.9%
Saudi Arabia 4.6%
Japan 4.2% Healthcare 3.6%
Spain 4.1%
UK 3.8% Figure 36: Mean security budget increase, by industry.
Italy 3.7%
Canada 3.7%
Germany 3.2%
Figure 35: Mean security budget increase, by country.

500 – 999 4.7%
1,000 – 4,999 4.2%
“The average increase in security budgets has 5,000 – 9,999 4.7%

been fairly steady, ranging between 4.0% and
5.0% for the past five years.”
10,000 – 24,999 5.5%
More than 25,000 5.1%
Figure 37: Mean security budget increase, by employee count.

Introduction

Network Security Deployment Status

Which of the following network security technologies are currently in use or planned for
acquisition (within 12 months) by your organization?
Planned for
Currently in use No plans
acquisition
Advanced malware analysis / sandboxing 59.7% 31.0% 9.3%
Intrusion detection / prevention system (IDS/IPS) 56.2% 33.7% 10.1%
Secure email gateway (SEG) 56.1% 30.8% 13.1%
Data loss / leak prevention (DLP) 55.0% 34.9% 10.1%
Secure web gateway (SWG) 55.0% 34.2% 10.8%
Network access control (NAC) 54.4% 35.0% 10.6%
Denial of service (DoS/DDoS) prevention 53.9% 35.2% 10.9%
SSL/TLS decryption appliances / platform 51.8% 36.1% 12.1%
Network behavior analysis (NBA) / NetFlow analysis 46.9% 37.5% 15.6%
Next-generation firewall (NGFW) 46.1% 41.9% 12.0%
Deception technology / distributed honeypots 44.3% 37.1% 18.6%
Table 1: Network security technologies in use and planned for acquisition.
There is no shortage of innovative new security products being But while an abundance is better than a dearth, it does make
brought to market. According to the Crunchbase website, in prioritization more difficult. We want to help. In this question
2021 venture capitalists invested $20 billion in cybersecurity and the next four, we throw light on what your peers think. What
startups, including a record-smashing $7.8 billion in the fourth cybersecurity offerings are must-haves? Which are the up-and-
quarter. And as we saw in Figure 24 on page 24, “lack of effective comers they plan to acquire to address emerging threats? Are
solutions available in the market” tied for second-to-last place in some failing to generate much interest?
a list of factors that inhibit defense against cyberthreats. Nobody
is worried about having too few options.

Introduction

On this and the following tables, the first column shows the So, while advanced malware and sandboxing remain a “must-
percentage of organizations that are currently using each have” technology, four other network security technologies
technology. The middle column depicts organizations that are also found in 55% or more of organizations. Installations
are planning to acquire the technology this year. The last of all four grew substantially since the previous survey. They
column represents organizations that aren’t sure they need the are: intrusion detection/prevention system (IDS/IPS), up 4.4%
technology. To make the results easier to absorb, we color-coded to 56.2%; secure email gateway (SEG), up 2.8% to 56.1%; data
the cells. Dark blue highlights technologies that are widely used loss/leak prevention (DLP), up 1.5% to 55.0%; and secure web
now or are most likely to be deployed soon. Lighter shades gateway (SWG), up 3.3% to 55.0%. These technologies use a
indicate lower adoption levels and fewer planned acquisitions. variety of methods to detect anomolous network behaviors, as
The cells with the “no plans” figures are gray. well as content and hyperlinks that may be related to malicious
activities.
The next three network security technologies on our list are in

use at more than half of organizations: network access control
“While advanced malware and sandboxing
(NAC), at 54.4%; denial of service (DoS/DDos) prevention, at
remain a ‘must have’ technology, four other 53.9%; and SSL/TLS decryption appliances and platforms, at
network security technologies are also found 51.8%.
in 55% or more of organizations.” Lined up for new installations or upgrades in the coming 12
months: next-generation firewall (NGFW) technology (planned
for acquisition by 40.3% or organizations), network behavior
analysis (NBA) and netflow analysis (37.5%), and deception
technology and distributed honeypots (37.1%). We think the last
We start by examining network security technologies (see Table 1).
type of technology is especially interesting since it can be used
For the last several years, the one that has been most widely
to catch threat actors “in the act” without exposing real networks
used is advanced malware detection and sandboxing (in use in
or data.
59.7% or organizations). The ubiquity of this technology (or really,
group of technologies) is not surprising, given that malware Now let’s see what endpoint security technologies are exciting
concerns our respondents more than any other type of threat your peers (page 38).
(as shown in Figure 13 on page 17).
However, this area is subject to a continuous arms race. Vendors

compile more malware signatures; threat actors use obfuscation
and polymorphism to disguise files. Vendors use sandboxing to
detect malicious behaviors; the bad guys figure out how to delay
malicious activities until after the sandboxes stop detecting.
Vendors use AI to identify suspicious activities; attackers manage
to prevent the anti-malware software from running. Move and
countermove.

Introduction

Endpoint Security Deployment Status

Which of the following endpoint security technologies are currently in use or planned for
acquisition (within 12 months) by your organization?
Planned for
acquisition
Basic anti-virus / anti-malware (threat signatures) 74.2% 22.3% 3.5%
Endpoint detection and response (EDR) 57.6% 31.8% 10.6%
Data loss / leak prevention (DLP) 56.6% 31.6% 11.8%
EPP / Advanced anti-virus / anti-malware
55.3% 35.8% 8.9%
(machine learning, behavior monitoring, sandboxing)
Browser or Internet isolation / micro-virtualization 55.1% 35.5% 9.4%
Disk encryption 53.3% 36.2% 10.5%
Digital forensics / incident resolution 49.8% 36.4% 13.8%
Deception technology / honeypots 44.1% 40.5% 15.4%
Table 2: Endpoint security technologies in use and planned for acquisition.
Table 2 provides insights into the deployment status and In this survey we made a significant change to our endpoint
acquisition plans for endpoint security technologies. As with security technology categories, replacing “advanced anti-virus”
Table 1, percentages in dark blue indicate a higher frequency with endpoint protection platform (EPP) and endpoint detection
of adoption and greater likelihood of acquisition, while lighter and response (EDR). This update reflects the evolution of this
blues correspond to less-popular options. technology area and current industry terminology.
The most widely installed endpoint security technology Broadly speaking, EPP products provide traditional anti-virus
continues to be basic anti-virus and anti-malware solutions features enhanced by an array of newer capabilities such as
based primarily on threat signatures. Despite continued reports machine learning, endpoint activity monitoring, and sandboxing.
that “anti-virus is dead,” old but still dangerous viruses and Collectively, they overcome many of the tricks and techniques
Trojans continue to circulate, and security groups see value malware developers use to evade detection. EDR solutions
in products that detect and block them. That may be why the may include certain EPP features, but they also offer tools to
percentage of organizations currently using this technology help security teams aggregate and analyze endpoint data and
actually increased 3.7%, from 70.5% in the previous survey to respond to campaigns that involve malware.
74.2% in this one.

Introduction

The other technologies in use at more than half of the surveyed

organizations are data loss or lead prevention (DLP), at 56.6%,
“Our respondents reported EDR solutions in and disk encryption, at 53.3%.
use at 57.6% of organizations, and EPP
The endpoint security solution most often planned for
products installed at 55.3%. These numbers acquisition in the coming year is deception technology and
suggest that many organizations use both honeypots. As we mentioned in reference to network security,
EDR and EPP technologies – and basic anti-virus this can be used to catch threat actors in the act without
exposing sensitive data. This solution not only prevents data
packages as well – on their endpoints.”
breaches in the short run, it also derails and misinforms attackers
and collects intelligence on the tactics, techniques, and
procedures (TTPs) of threat actors. There is also a psychological
element: many security organizations welcome the chance to
Our respondents reported EDR solutions in use at 57.6% of gain an advantage over attackers instead of always being at a
organizations, and EPP products installed at 55.3%. These disadvantage.
numbers suggest that many organizations use both EDR and EPP
Now it’s time to explore application- and data-centric security
technologies – and basic anti-virus packages as well – on their
technologies (see page 40).
endpoints.
What endpoint technology had the biggest jump in usage

during the past year? That would be browser or internet isolation
and micro-virtualization products. Installations leaped 6.9%,
from 48.2% to 55.1%. Instead of viewing web pages and running
scripts and apps in browsers on their own systems, end users
run them in a virtual browser on a cloud platform. Malware can’t
spread to the users’ systems, and suspicious activities can be
observed in the cloud. This technology has a great deal of appeal
for organizations where remote work and cloud applications are
expanding.

Introduction

Application and Data Security Deployment Status

Which of the following application- and data-centric security technologies are currently
in use or planned for acquisition (within 12 months) by your organization?
Planned for
acquisition
API gateway / protection 64.1% 28.6% 7.3%
Web application firewall (WAF) 61.1% 29.9% 9.0%
Database firewall 59.5% 30.5% 10.0%
Application container security tools/platform 54.3% 36.5% 9.2%
Cloud access security broker (CASB) 53.3% 33.2% 13.5%
Database activity monitoring (DAM) 53.1% 35.9% 11.0%
Application delivery controller (ADC) 52.2% 33.6% 14.2%
Runtime application self-protection (RASP) 50.4% 35.1% 14.5%
File integrity / activity monitoring (FIM/FAM) 50.2% 37.8% 12.0%
Advanced security analytics (e.g., with machine learning, AI) 50.2% 39.7% 10.1%
Static/dynamic/interactive application security testing
48.0% 38.2% 13.8%
(SAST/DAST/IAST)
Bot management 42.6% 39.8% 17.6%
Table 3: Application and data security technologies in use and planned for acquisition.
In the area of application and data security, the most popular uncover rogue and forgotten APIs, blocking injection attacks
offering continues to be API gateway and protection products and other exploits, analyzing attacker behaviors, and correlating
(see Table 3). Usage of these technologies has soared over the API-related data across hybrid and multi-cloud environments.
last few years, rising from 45.1% in our 2018 report to 64.1%
As we mentioned in our discussion of security posture by IT
today. API gateways enforce authorization and encryption
domain on page 12, protecting APIs has become an increasingly
policies, scale resources when traffic spikes, and perform rate
pressing area of concern. As more organizations move to
limiting to mitigate DDoS attacks and other forms of abuse.
modular, services-based cloud applications, more sensitive
API protection solutions provide security teams with tools
data is being accessed through APIs, which are becoming more
to understand, detect, and respond to attacks targeting APIs
tempting targets for threat actors. We think API protection will
by performing tasks such as mapping the attack surface to
become an even bigger area of focus in coming years.

Introduction

Two other must haves are web application firewalls (WAFs), at

61.1%, and database firewalls, at 59.5%. These technologies have
“The most popular offering continues to be
proved themselves in preventing unauthorized access to web
applications and databases. API gateway and protection products. Usage
of these technologies has soared... rising from
Other application and data security solutions that showed
significant growth in installations over the past year are file 45.1% in our 2018 report to 64.1% today.”
activity and activity monitoring (FIM/FAM), up 3.3% to 50.2%;
runtime application self-protection (RASP), up 2.2% to 50.4%;
and application delivery controllers (ADCs), up 1.8% to 52.2%.
Other application and data-centric security technologies
The number-one technology for upcoming purchases is bot
included on a lot of shopping lists are advanced security
management, planned for acquisition in 39.8% of organizations.
analytics, at 39.7%, and static, dynamic, and interactive
It helps defend websites and mobile applications from the
application security testing (SAST/DAST/IAST), at 38.2%.
many types of attacks that utilize bot networks, including DDoS
attacks, phishing and spam campaigns, credential stuffing, brute Now that we’ve covered application and data security, let’s see
force password cracking, content scraping, and click fraud. what’s happening in the world of security management and
operations technologies (see page 42).

Introduction

Security Management and Operations Deployment Status

Which of the following security management and operations technologies are currently
Planned for
acquisition
Active Directory protection 64.5% 27.1% 8.4%
Cyber risk management and reporting 58.0% 31.3% 10.7%
Security configuration management (SCM) 56.5% 32.4% 11.1%
Patch management 54.7% 32.6% 12.7%
Security information and event management (SIEM) 51.7% 36.2% 12.1%
Penetration testing / attack simulation software 50.7% 35.4% 13.9%
Vulnerability assessment/management (VA/VM) 50.6% 38.8% 10.6%
Full-packet capture and analysis 50.4% 36.4% 13.2%
Advanced security analytics (e.g., with machine learning, AI) 50.2% 39.7% 10.1%
Security orchestration, automation and response (SOAR) 49.4% 36.7% 13.9%
Threat intelligence platform (TIP) or service 46.3% 39.7% 14.0%
User and entity behavior analytics (UEBA) 45.7% 38.9% 15.4%
Table 4: Security management and operations technologies in use and planned for acquisition.
Security management and operations technologies support a We added two new categories to our survey this year, and they
number of activities that make security programs effective and immediately occupied the top two spots in terms of installations
reliable, including: (see Table 3)!
Providing basic security hygiene and reducing the attack Active Directory protection is already in use in almost two-thirds
surface of organizations (64.5%). For many, Microsoft Active Directory
is the single source of truth for information about employee
Automating security-related processes
and business partner identities, as well as a repository for
Collecting, analyzing, and reporting on security data to information on group membership and privileged access. It
identify weaknesses, respond to breaches, and prioritize is also a critical resource for implementing ZTNA concepts.
investments Therefore organizations must protect Active Directory from
Testing security defenses using the techniques of likely cybercriminals attempting to create new accounts, escalate
attackers privileges, circumvent network segmentation, and otherwise
gain unauthorized access to networks and applications.

Introduction

Cyber risk management and reporting, currently used in 58.0% In the past, we have rarely seen that combination. Threat
of organizations, helps align security activities with business risks intelligence helps organizations validate and prioritize security
and needs. It also helps IT groups justify investments in security alerts more quickly and accurately, focus on the threats most
professionals, processes, and technologies to top management likely to affect their specific industry and systems, and better
and boards of directors. understand threat actor TTPs. Our data about TIP indicates a
growing appreciation of threat intelligence and the advantages
Other security management technologies that are widely in use
it provides.
include security configuration management, or SCM (employed
in 56.5% of organizations), patch management (54.7%), and
security information and event management, or SIEM (51.7%).
One of the leaders in year-over-year growth was penetration “On this year’s application and data security
testing and attack simulation. The percentage of organizations shopping list, a new CDR entrant, bot
using it increased 2.8%, to 50.7%. We think the use of penetration
testing and attack simulation will continue to grow, along with
management, takes the top spot (40.4%).”
practices such as red team exercises and bug bounty contests. As
many organizations place more emphasis on developing secure
applications, they are recognizing that some application security
issues can only be uncovered by thinking like an attacker. The other technologies with high planned for acquisition
Our data for threat intelligence platform (TIP) or service adoption percentages are advanced security analytics (also 39.7%),
is interesting. Of all the options in the security management and user and entity behavior analysis (38.9%), and vulnerability
operations section, this technology had: assessment and management (38.8%).
1. The biggest year-to-year increase in usage, up 3.3% to 46.3% And now, on to our final category: identity and access
management, or IAM (see page 44).
2. The highest planned for acquisition number, 39.7%

Introduction

Identity and Access Management Deployment Status

Which of the following identity and access management (IAM) technologies are currently
Planned for
acquisition
Password management / automated reset 62.1% 28.5% 9.4%
Adaptive/risk-based authentication 61.8% 28.7% 9.5%
Two-/multi-factor (2FA/MFA) authentication 56.8% 31.8% 11.4%
Single sign-on (SSO) 53.6% 33.4% 13.0%
Privileged account/access management (PAM) 52.8% 33.7% 13.5%
User/account provisioning and de-provisioning 52.3% 35.9% 11.8%
Identity-as-a-Service (IDaaS) 50.3% 35.5% 14.2%
Smart cards 46.8% 38.6% 14.6%
Federated identity management (SAML, Oauth) 46.7% 36.0% 17.3%
Biometrics 44.6% 40.9% 14.5%
Table 5: Identity and access management technologies in use and planned for acquisition.
Identity and access management (IAM) is not the most Who says IAM is increasingly important? Well, our data does.
glamorous segment of information security. It involves a number Since our last survey, organizations increased their use of
of cutting-edge technologies, but also a lot of operational, nine out of the 10 technology categories listed in Table 5. The
administrative, and support tasks related to roles, permissions, percentage using two of the categories increased 7.5%, which
account provisioning and deprovioning, password resets, access is more than any technology in any of our other tables. IAM is
controls, etc., etc. not the most glamorous segment of information security, but in
some respects it is getting the most attention.
Yet today, as never before, organizations need to perform these
tasks quickly and accurately, with maximum security but the The use of password management and automated reset, the
least possible annoyance to users and minimum disruption to most widely deployed IAM technology, increased by 7.5% year
business processes. That’s because more and more business over year, to 62.1%. It automates a very basic set of tasks, but
is being done with web and mobile applications, which provides a big payoff in both user satisfaction and time savings
lead employees and customers to expect consumer-level for IT support staff and administrators.
convenience, but in an environment where nobody can be
trusted to be who they say they are (hence “zero trust” practices).

Introduction

The clear winner in the middle column of Table 5 is biometrics,

with 40.5% of organizations planning to acquire or upgrade
“IAM is not the most glamorous segment
technology in that area. Biometric technologies go even further
of information security, but in some respects than other MFA approaches in combining better security with
it is getting the most attention.” increased convenience.
It is noteworthy that the US Cybersecurity and Infrastructure

Security Agency (CISA) highlights identity as one of the five
pillars of its Zero Trust Maturity Model. CISA emphasizes that
Adaptive and risk-based authentication was up 5.5% this year, on
organizations should validate identities continuously, not just
top of 4.9% growth last year, to reach 61.8% of organizations. It
when initially granting access. Additionally, organizations should
balances security and convenience by ensuring that employees
fully implement just-in-time and just-enough access controls and
and customers provide just the appropriate amount of
have global identity awareness across cloud and on-premises
credentials and information, but no more, based on factors like
environments. We are likely to see more organizations move in
the value of the transaction, information about the user and the
these directions.
device, and past behaviors.
And whatever you may see in the movies, it is not possible
The use of two-factor and multi-factor authentication (2FA and
to chop off someone’s finger and use it to open the door of
MFA) also surged 7.0% from the previous survey, reaching 56.8%.
a top-secret laboratory. That’s because of things like tissue
They have become requirements for many classes of application,
deterioration and capacitive sensors in the fingerprint reader
and vendors and security groups are coming up with ingenious
that must be activated by electrical charges in skin. We thought
ideas for the second and nth factors.
you would want to know that.
Several other IAM technologies are currently in use in half or
more of all organizations. These include single sign-on (SSO), up
3.8% to 53.6%; privileged account management (PAM), up 1.4%
to 52.8%; and user and account provisioning and deprovisioning,
which are up 1.7% to 52.3%.

Introduction

Outsourcing to Managed Security Service Providers (MSSPs)

Which of the following IT security functions does your organization outsource to a managed
security service provider (MSSP)? (Select all that apply)
2022 2019
41.1%
Monitoring/managing SIEM platforms
17.8%
Detecting and responding to advanced cyberthreats/managed 41.1%

detection and response (MDR) 30.6%
39.1%
Monitoring/managing web application firewalls (WAFs)
13.1%
Monitoring/managing intrusion detection/ prevention systems 38.3%

(IDS/IPS) 24.9%
37.5%
Monitoring/managing secure web/email gateways (SWG/SEG)
20.5%
36.8%
Monitoring/managing firewalls or UTMs
30.2%
36.6%
Mitigating distributed denial of service (DDoS) attacks
37.5%
33.3%
Managing vulnerability scans
38.3%
Figure 38: Functions outsourced to an MSSP in 2019 and 2022.
We have observed a trend toward greater use of managed compare the results with those from the 2019 report. Figure 38
security service providers (MSSPs), driven primarily by the shows responses of organizations that outsource at least one
shortage of skilled IT security staff. If you can’t hire enough task to an MSSP, and Figure 39 shows how many organizations
experienced security professionals, why not outsource routine, were not using an MSSP at all in those two years.
repetitive tasks? Or activities that require special skills that are in
As we can see from Figure 39, only 10% of organizations didn’t
short supply? Or jobs that someone else has figured out how to
work at all with an MSSP in 2019, and that figure was even lower
automate?
in 2022: 6.8%. In the big picture that isn’t much of a difference.
Hmm. What are enterprises using MSSPs for? We asked that
But Figure 38 shows that many of the security teams that were
question in older editions of the Cyberthreat Defense Report,
using MSSPs for one or two tasks in 2019 are now working with
then dropped it for a few years. We decided to ask again and
them on three or more.

Introduction

10.0% 6.8% Why the dramatic upswing in the use of MSSPs for all of these
Organizations monitoring and managing tasks? It is partly attributable
NOT working 93.2% to the fact that these are very labor-intensive activities,
with an MSSP 90.0%
particularly when they involve filtering and prioritizing alerts.
Organizations would like to free up their security professionals
for more-strategic jobs. Another major factor is that MSSPs have
Organizations achieved a high level of automation of these tasks, so they can
working with provide these services very economically to their clients.
an MSSP
However, our data included one surprise. The conventional
wisdom is that MSSPs are more popular with small organizations
that can’t fill their staff with security specialists. However, as
shown in Figure 40, 87.4% of small organizations (500-999
2019 2022 employees) use an MSSP, and 92.7% of medium-sized ones
(1,000-4,999 employees), but large and very large enterprises
Figure 39: Percentage of organizations not working with an MSSP employ MSSPs even more often (94.3% or higher). Evidently,
in 2019 and 2022.
even very large security groups want to save money and free up
their expert personnel for strategic projects.
Of course, some organizations outsource tasks related to specific

“What are enterprises using MSSPs for? We asked
applications or business units, while using their internal staff to
that question in older editions of the Cyberthreat perform the same tasks for other applications and business units.
Defense Report, then dropped it for a few years. Probably many of the large and very large enterprises are using
We decided to ask again and compare the results MSSPs selectively rather than across the board. But they do use
them.
with those from the 2019 report.”
500 – 999 87.4%
We can also see a significant shift in the mixture of the tasks

being outsourced to MSSPs. Actually, the ones that were the
1,000 – 4,999 92.7%
leaders in 2019 – managing vulnerability scans, mitigating DDoS
attacks, detecting and responding to advanced threats, and
monitoring and managing firewalls and UTM devices – are still
5,000 – 9,999 96.9%
common today, if at somewhat lower rates. But the categories
that were less popular in 2019 have shown tremendous increases
over the past three years.
10,000 – 24,999 96.0%
Specifically, 23.3% more organizations are using MSSPs to
monitor and manage SIEM platforms. The use of MSSPs to
monitor and manage WAFs has increased 26.0%. Monitoring More than 25,000 94.3%
and managing IDS/IPS systems is up 13.4%, and monitoring and
managing SWG and SEG platforms has risen 17.0%. Figure 40: Percentage of organizations using an MSSP, by employee count.

Introduction

Security Applications Delivered via the Cloud

What percentage of your information security applications and services is delivered via the cloud?
41.1% In August 2020, CyberEdge conducted a survey that was

40.6%
published as “The Impact of COVID-19 on Enterprise IT Security
Teams.” Of the 600 IT security professionals surveyed, three-
quarters indicated a significant preference for cloud-based
35.7% security solutions over traditional on-premises products.
That preference resulted in action. Organizations made a heroic

effort to support remote work, BYOD policies, and cloud-based
applications with cloud-based security. Between our 2020
and 2021 reports, the percentage of security applications and
2020 Mean 2021 Mean 2022 Mean
services delivered via the cloud jumped from 35.7% to 40.6%, an
Figure 41: Percentage of security applications and services delivered increase of 4.9% (see Figure 41).
via the cloud.
Between the 2021 and 2022 reports, the percentage moved up
a more modest 0.5%, as security groups shifted from deploying
Brazil 50.3% new cloud-based security solutions to tuning and consolidating
USA 50.1% the ones implemented earlier. And the new record level, 41.1%,
Mexico 46.7% is pretty impressive, given that only a few years ago most people
thought they couldn’t trust security products outside their
Saudi Arabia 45.9%
organization’s data centers.
South Africa 43.2%
Singapore 40.9% We believe the share of cloud-based security offerings is likely
Turkey
to increase at a steady pace of around 0.5% to 1.0% per year for
38.7%
several years. These offerings include security tools from public
Spain 38.5%
cloud platform providers like Amazon, Microsoft, and Google,
UK 37.3% cloud-based versions of existing on-premises security products,
Colombia 36.7% and new security solutions developed from the ground up for
Canada 35.6% cloud deployment.
Australia 34.8% The appetite for cloud-based security applications and services
Italy 33.4% varies considerably around the globe (see Figure 42). Half of all
Japan 32.8% security is cloud-based in Brazil (50.3%) and the United States
France 32.3%
(50.1%). Not far behind come Mexico (46.7%) and Saudi Arabia
(45.9%). At the other end of the spectrum, cloud-based security
Germany 31.3%
solutions have not been so widely adopted in Japan (32.8%),
China 30.9%
France (32.3%), or Germany (31.3%). The nation with the lowest
Figure 42: Percentage of security applications and services delivered
level of interest is China (30.9%).
via the cloud, by country.

Introduction

As shown in Figure 43, the major industries most aggressively

Finance 48.7%
adopting cloud-based security are finance (48.7%), healthcare
(44.3%), and retail (42.1%). Slower adopters include educational
institutions (30.6%) and government agencies (30.4%). Healthcare 44.3%
Retail 42.1%
Manufacturing 40.3%
“These days, smart IT security teams are
turning to cloud-based security solutions Telecom & Technology 37.3%
like never before.”
Education 30.6%
Government 30.4%
Figure 43: Percentage of security applications and services delivered

via the cloud, by industry.

Introduction

Practices That Support Application Security

Which of the following practices does your organization embrace to enhance
application security? (Select all that apply.)
Security training for 63.0%

application developers
Web application scanning 53.4%
Third-party security 52.2%

testing/bug bounties
DevSecOps teams and 49.1%

methodologies
Penetration testing 42.4%
Figure 44: Practices organizations use to enhance application security.
Many organizations are investing in application security. You can The most popular practice is security training for application
prevent a lot of data breaches if you can build good security into developers, provided by 63.0% of the organizations surveyed.
an application and catch security-related defects before it is put Traditionally, coders focused on functionality and did not
into production. have the knowledge or incentive to address security issues.
Security training encourages development teams to follow
But what exactly are organizations doing to enhance application
security best practices for architecting applications (e.g.,
security? We added this question to the survey so you could find
segmenting application components and controlling access
out what your peers are doing (see Figure 44).
between them), coding (e.g., validating user input and using
parameterized queries to block injection attacks), adding
risk-based authentication, encrypting data at rest and in motion,
and other areas where security can be built into the application.

Introduction

Also widely used are third-party security testing and bug

bounty programs (52.2%) and penetration testing (42.4%). Both
“You can prevent a lot of data breaches If encourage human testers to think like attackers and replicate
you can build good security into an application their techniques to find weaknesses that conventional scanning
and catch security-related defects before it and software testing tools won’t detect. Bounty programs are
economical and can enlist a large number of freelance testers,
is put into production.”
but the participants get to choose what they test, so they may
not cover all features of an application. Penetration testing, either
by internal staff or service providers, is more expensive, but the
testers’ activities can be directed to ensure complete coverage.
Developers can also be trained to test their own work to find
Finally, development/security/operations (DevSecOps)
security weaknesses in the code and in business logic.
practices, in use in 49.1% of organizations, ensure that software
Web application scanning is an automated way to uncover a code is tested early and continuously during the application
wide range of vulnerabilities and defects in online applications. It development process. In the 2021 CDR we asked respondents
is performed at 53.4% of organizations. about the benefits of DevSecOps practices. They cited increased
speed of deploying application updates and new applications,
improved relations between development and security
personnel, reduced costs, and fewer application security
vulnerabilities.

Introduction

Protecting Employees Working from Home

Which of the following technologies and/or architectures does your organization
use to enable employees to securely work from home? (Select all that apply.)
Anti-virus / endpoint 51.9%

security software
Virtual private network (VPN) 49.7%
Software-defined wide area 43.5%

network (SD-WAN)
Network access control (NAC) 42.8%
Mobile device/application 40.5%

management (MDM/MAM)
Secure access service edge (SASE) 39.5%
Zero trust network access (ZTNA) 34.5%
Figure 45: Technologies and architectures to enable secure work from home.
According to a recent blog post by the Gallup polling and If everyone’s wish is granted, something like 54 million U.S.
analytics firm (Bet on It: 37% of Desks Will Be Empty), of the 60 workers will need to be able to work securely from home at least
million Americans who could potentially work from home: one day a week, even after the COVID-19 pandemic subsides. If
you add in similar figures for other countries around the world
30% would prefer to never come into the office during the
you get… a really, really big number.
week.
We added a question to this year’s survey about what
60% want a blend of working one to four days per week at
technologies and architectures enterprises are deploying to cope
home.
with this imperative (see Figure 45).
10% prefer working all five days in the office.

Introduction

The top two responses, each selected by about half the Secure access service edge (SASE) architectures and ZTNA
respondents, were those steady workhorses, anti-virus and frameworks are seen as helping to protect remote employees in
endpoint security software (51.9%) and virtual private network 39.5% and 34.5% of organizations. We will be discussing them
(VPN) technology (49.7%). Anti-virus and various flavors of more (along with SD-WANs) on page 54.
endpoint detection and response solutions are still considered
key elements in a defense-in-depth strategy, and are likely to
retain that status well into the future. However, we think the use
of VPNs may fall off in coming years as organizations adopt a “Something like 54 million workers in the
variety of alternative network encryption methods that are easier
USA will need to be able to work securely
to manage.
from home at least one day a week... If you
Software-defined wide area networks (SD-WANs) are used by
add in similar figures for other countries
43.5% of organizations to help protect home workers. Besides
ensuring that network traffic from remote locations travels around the world you get… a really, really
over encrypted channels, many SD-WAN products contribute big number.”
to security with built-in firewall, intrusion detection, and
anti-malware features.
Network access control (NAC) and mobile device and application

management (MDM/MAM) solutions are deployed by 42.8%
and 40.5% or the organizations in our survey, respectively. These
technologies prevent unauthorized connections to networks by
enforcing access control policies, supporting advanced forms of
authentication, and confirming that required security defenses
are installed and active on computers and mobile devices.

Introduction

Emerging IT Security Technologies and Architectures

Describe your organization’s deployment plans for each of the following emerging
IT security technologies/architectures.
Currently in production Implementation in progress Implementation to begin soon No plans
81.9%
Software-defined wide area
network (SD-WAN) 54.9% 27.0% 11.5% 6.6%
78.6%
Hardware-based/firmware security 49.5% 29.1% 14.4% 6.9%
77.0%
Zero trust network access (ZTNA) 36.5% 40.5% 14.7% 8.2%
73.0%
Passwordless authentication 39.9% 33.1% 14.5% 12.5%
72.9%
Secure access service edge (SASE) 40.7% 32.2% 18.8% 8.3%
72.9%
Extended detection and
response (XDR) 37.3% 35.6% 15.8% 11.3%
Figure 46: Plans for implementing emerging IT security technologies and architectures.
The final topic in this 2022 edition of the Cyberthreat Defense and expensive MPLS circuits with simple broadband connections
Report is a look at deployment plans for six emerging technologies to the internet. Besides cutting networking costs, they
and architectural approaches to security (see Figure 46). dynamically route high-priority traffic to faster links and provide
higher levels of redundancy. To strengthen security, they encrypt
The technology at the top of the list for “currently in production”
network traffic and sometimes enforce firewall and intrusion
plus “implementation in progress” is software-defined wide
prevention rules. With all these advantages, it is not surprising
area network (SD-WAN). SD-WAN products allow enterprises to
that SD-WANs are in production or being implemented in four
replace dozens or hundreds of individually configured routers
out of five organizations (81.9%).

Introduction

Passwordless authentication is currently in production or

being implemented in 73.0% of organizations. This solution
“These emerging technologies and architectures
involves technologies and standards that provide effective,
can help your organization move toward more convenient authentication without the use of passwords
integrated, effective, and economical IT security. or other memorized credentials. Authentication factors can
If you are not familiar with any of them, we hope include one-time codes sent to smartphones, hardware tokens,
fingerprints, facial features, voices, retinal patterns, behavioral
this report will prompt you to investigate.” patterns, gestures, and even pressure on keyboard keys.
Passwordless authentication techniques significantly reduce
security risks (including the use of passwords for multiple
accounts) and lower the costs of password reset and other
Second on this list is hardware-based and firmware security, support tasks. We expect their use to grow.
which is in production or implementation stages at 78.6% of
Secure access service edge (SASE) is a cloud architecture that
organizations. This category refers to security features that
combines SD-WAN and other key networking concepts with
are embedded in chips or firmware, and therefore cannot
security functions such as firewall as a service (FaaS), secure web
be tampered with even if attackers take control of operating
gateway (SWG), cloud access security broker (CASB), and features
systems and hypervisors. Hardware-based and firmware security
that support ZTNA. In fact, there are so many elements in the
features can check at bootup to make sure operating systems
SASE model that no one organization is ever likely to implement
and other software modules have not been corrupted or
all of them. But the model provides excellent guidance to
changed. They can also securely store cryptographic keys and
enterprises and vendors that want a long-term plan for
provide cryptographic services to applications.
implementing and integrating essential networking and security
Zero trust network access is also being implemented or used services, so it is now being adopted at 72.9% of organizations.
in more than three-quarters (77.0%) of organizations. ZTNA
The final item on this list is extended detection and response
is a security framework that reduces network security risks by
(XDR), also in production or being implemented in 72.9% of
removing implicit trust of users on LANs and internal networks
organizations. XDR platforms collect and correlate data from
and enforcing strict user and device authentication for everyone.
multiple security threat detection and incident response tools
Also, ZTNA solutions restrict users to only the applications and
across an entire enterprise.
systems to which they have been explicitly granted access. ZTNA
is proving very popular. Between the last survey and this one, the All these emerging technologies and architectures can help
“currently in production” figure for ZTNA rose 6.3%, from 30.2% your organization move toward more integrated, effective, and
to 36.5%. economical IT security. If you are not familiar with any of them,
we hope this report will prompt you to investigate.

Introduction

The Road Ahead
Russia, Ukraine, Cyberwar, and Cyber be launched during cyberwarfare. There will also be more
Preparedness scrutiny of unglamorous but essential processes like backup and
recovery, vulnerability scanning, and identity management.
These paragraphs are being written during the first weeks of
Russia’s invasion of Ukraine. So far, cyberwarfare, including We also expect heightened interest in threat intelligence relative
attacks on Ukrainian government agencies and banking to state-controlled hacker groups. Many organizations that
institutions and the dissemination of data-wiping malware, have been focusing on blocking cybercriminals with financial
have played a relatively minor role in the conflict. While it is motivations will need to put more emphasis on bad actors
impossible at this point to know how the invasion will end or the working toward military and political goals. There will be a
part cyberattacks will play, we can make a few predictions about premium on up-to-date information about the TTPs of groups
the effect it will have on security teams and the cybersecurity who might conduct cyberwars.
industry.
Similarly, cybersecurity vendors will want to recalibrate their
The invasion is ringing alarm bells across the world, not because products and services toward thwarting the attacks expected in
we have learned anything new about the damage cyberwarfare cyberwarfare. Cybercriminals and cyberwarriors use many of the
can cause, but because we have been forced to reassess the same tools, but their targets, techniques, and objectives differ. It
likelihood that cyberwarfare will be used in future conflicts. A is still vital to protect personal data and credit card information,
few weeks ago, it seemed unthinkable that a nation like Russia but there are going to be a lot of market opportunities in
would launch a brutal, unprovoked invasion of a neighbor, with the near future for defending trains, planes, container ships,
cyberattacks as one component. Today, how can we believe that pipelines, factories, medical equipment, GPS systems, self-driving
future adversaries will hold back from unleashing one of the vehicles, media outlets, and first responder and emergency
most powerful weapons in their arsenal, especially if they have response systems.
fewer conventional arms than Russia?
Clearly, one likely effect is that national governments will

The Effects of COVID-19 Continue to Play Out
become more aggressive in promoting, and often mandating, In 2020 and 2021 security professionals scrambled to cope with
expanded cyber preparedness standards for both government the sudden disruptions caused by the COVID-19 pandemic.
agencies and commercial enterprises. They will widen the Their main focus was upgrading security for the huge surge of
definition of “critical infrastructure” to include not only power people working from home, often with unmanaged devices
grids, financial networks, energy pipelines, and transportation located far outside the corporate firewall and other perimeter
equipment, but also networks and organizations that capture defenses, and using new technologies to communicate and
and communicate digital information, facilitate supply chains, collaborate. In many industries, COVID-19 response also involved
provide healthcare, and perform other necessary functions. Look paying additional attention to the security of web and mobile
also for governments to encourage, and often require, better applications as face-to-face interactions diminished and more
and faster information sharing between organizations about and more activities and transactions were accomplished entirely
cyberthreats. by computer or smartphone. In addition, security staff and other
IT personnel had to learn how to work effectively from their own
There will be more pressure on security teams to prepare and
homes, with all the attendant distractions.
test detailed incident response and business continuity plans
so they can respond quickly to the types of attacks likely to The scrambling isn’t so frantic anymore, but it has become clear

Introduction

The Road Ahead
that many of the effects of COVID-19 on the workplace are not example, national governments have been implementing plans
going to be reversed. As mentioned on page 52, in a recent to harden security for agencies, expand police powers and
Gallup survey, 90% of American workers want to continue to increase criminal penalties, create new cybersecurity standards
work at least one day a week at home (of which 30% prefer for businesses, prevent funds (primarily ransoms in the form
full-time WFH). And consumers are going to keep shopping, of cryptocurrencies) from reaching attackers, and mandate
studying, sightseeing, and schmoozing in pajamas (at least information sharing among private, public, and law enforcement
below the waist). organizations. Examples include the US government’s Executive
Order on Improving the Nation’s Cybersecurity, the Australian
We are expecting many of the technologies and programs
government’s Ransomware Action Plan, and the international
initiated or accelerated because of the pandemic to stay on the
Counter Ransomware Initiative.
front burner. These include:
Equally important, law enforcement agencies have finally begun
Enhancing security and ease of use for remote workers by
to take direct action against the bad actors. Notably, Russia’s
applying ZTNA concepts
FSB conducted a round-up of members of the REvil ransomware
Increasing the security of BYOD programs and mobile apps gang, and Europol has helped facilitate arrests in Ukraine,
Improving visibility and security of applications, data, and
Romania, Kuwait, and other countries.
identities housed on cloud platforms These are just the first steps, but they are significant. Until
Combining security and network management by recently, participants in the ransomware industry were
implementing SD-WANs and SASE architectures essentially immune from punishment. Now, they must take into
account a serious possibility that they might be arrested and
Building security into web and mobile apps through
prosecuted. Also, CEOs and boards of directors of enterprises of
DevSecOps practices and security training for developers all sizes and in all industries are putting direct pressure on their IT
Increasing the security awareness of employees and other security teams to do everything possible to thwart ransomware
end users so they are less susceptible to phishing, social attacks. In addition, security solution vendors are gearing up to
engineering, BEC, and ransomware attacks deliver technologies that will help.
Looking at the big picture, we think there is good reason to

Ransomware Might Be Topping Out believe that the growth curve of the ransomware industry will
We are going to go out on a limb here. The ransomware industry start to turn down in 2022, or at least 2023.
may have peaked, or at least be approaching its peak. True, the
number of organizations victimized continues to rise (see page Third-party Risks Will Be Top of Mind
21). True, exfiltrating data gives ransomware gangs another
We discussed on page 13 that third-party risk management
club to hold over the heads of victims. And true, the gangs
(TPRM) is one of the security capabilities that most of our
have gotten better at finding new categories of victims (such as
survey respondents are least confident about. We believe that
hospitals, schools, and local governments) and at judging what
their concern is well founded, and that over the next couple
the market will bear regarding their ransom demands.
of years enterprises will be paying more attention than ever to
But the industry is starting to become a victim of its own vulnerabilities and risks created by third parties. They include
successes, in that ransomware is now a top-of-mind issue for risks that:
businesses, governments, and law enforcement agencies. For

Introduction

The Road Ahead
Suppliers, contractors, and other third parties could be But we predict that security groups will also try creative new
hacked or bribed into giving up credentials that attackers can ideas. Redefine security jobs to make them more attractive?
use to access an organization’s applications and data. Make better use of part-time employees and freelancers for
specific tasks? Recruit and train candidates from overlooked
Equipment and software from third parties might contain
groups? Run apprenticeship programs with local schools and
vulnerabilities that can be used to penetrate networks.
colleges? Crowdsource good ideas? Recruit gamers with VR
Third-party scripts that run in browsers could be cybersecurity games and simulations?
compromised and allow threat actors to capture credentials
and data from customers and employees. We don’t know what will succeed, but we think if some of the
really smart people in cybersecurity put their minds to it, we can
The second bullet is undoubtedly the most visible of those issues put a dent in this serious problem.
now, because of the vulnerabilities in the Apache Log4j software
and recent memories of the backdoor in SolarWinds software.
Communicating Security Issues to
For this and other reasons, we think that in the near future,
organizations will expend significantly more effort monitoring
Management and Boards
and managing third-party risks. As we mentioned on page 43, this year we added a response
about cyber risk management and reporting to our question
For the IT Skills Shortage, Necessity Can Be about security management and operations technologies – and
the Mother of Invention found that it is already the second-most popular item on our list.
As we noted on pages 15 and 24 and elsewhere in this report, a There is no doubt that CEOs and boards of directors are giving
shortage of skilled IT security professionals is a serious problem unprecedented attention to IT security issues. That means that
for almost every organization and the biggest single impediment IT management and security teams are under pressure to do a
to improving the performance of security teams. This shortage better job of explaining their work, aligning security programs
has been getting worse, and it is increasingly clear that supply with business objectives, and justifying investments in people
may not catch up to demand in our lifetimes. and technology in terms of benefits to the business (not just
by the number of vulnerabilities fixed or the indicators of
But as Plato said in The Republic: “our need will be the real compromise detected).
creator” (later loosely translated as “necessity is the mother of
invention”). When the need is pressing, people find answers. We We think IT organizations are going to demand more, better, and
have discussed several in this report: easier ways to collect security data and present it to executives
and boards in the context of business issues, and where possible,
Training new security professionals and upgrading the skills
quantify risk reduction. And we expect security solutions vendors
of existing ones to respond by improving management reporting capabilities
Outsourcing selected security tasks to MSSPs in existing security products and by delivering new solutions
and services aimed specifically at compiling and presenting
Automating security tasks so experts can focus on
risk-based data to help manage security programs.
more-strategic work

Introduction

The Road Ahead
More Innovative Technologies Tools for hybrid cloud and multi-cloud environments
will be a growth area. On page 28 we discussed security
Here are other innovative concepts and technologies that we
challenges facing organizations that have spread computing
expect to hear more about in 2022 and beyond:
workloads over multiple data centers and private and public
API gateway and protection products help organizations clouds. These challenges are going to become more pressing.
protect applications designed with microservices and As security vendors respond, we will see more products that
cloud-native architectures (see page 40). API gateways sit in offer “single pane of glass” monitoring and unified policy
front of application APIs and perform tasks such as enforcing enforcement across all (or at least most) of the popular data
authorization and encryption policies, scaling resources when center and cloud platforms.
traffic spikes, rate limiting to mitigate DDoS attacks and other Better security for operational technology (OT) and the
forms of abuse, and sending usage data to billing systems.
Internet of Things (IoT) is desperately needed to protect
API protection solutions provide security teams with tools to
utilities, critical infrastructure, and manufacturing plants,
understand, detect, and respond to attacks targeting APIs.
as well as emerging applications for smart devices, from
Their capabilities can include mapping the attack surface
cybercriminals, ransomware gangs, and hackers sponsored by
to create an inventory of legitimate, rogue, and forgotten
hostile militaries. As we discussed on page 12, governments
(“zombie”) APIs, blocking injection attacks and other exploits,
have started to pay more attention to this, and even to fund
analyzing attacker behaviors, and fingerprinting attackers so
research and development, and we expect to see progress
they can be tracked even when they change IP addresses. API
over the next couple of years.
protection solutions can also help security teams correlate
and analyze data across multiple data centers and cloud Deepfake detection technology is still in its early phases,
platforms. In the future, more threat actors are going to be but will become very important as threat actors master
targeting APIs with more sophisticated attacks, which will sophisticated techniques for creating convincing deepfakes:
make API gateways and API protection products increasingly images and recordings digitally altered to present a known
essential for well-rounded security programs. person doing or saying something they did not do or say.
Deepfakes have already been involved in a small number
Hardware- and firmware-based security solutions
of BEC attacks (e.g., phone calls supposedly from the CEO
prevent rootkits and other types of malware from
ordering a subordinate to transfer money to a phony
corrupting operating systems and firmware and from
supplier). Unfortunately, there are numerous opportunities
capturing encryption keys. They can play a part in thwarting
for deepfakes to enhance phishing and misinformation
ransomware attacks and detecting vulnerabilities and
campaigns, attacks on brands, and many other malicious
misconfigurations in unmanaged BYOD devices and in
activities.
systems acquired from third parties.

Introduction

Appendix 1: Survey Demographics
This year’s report is based on survey results obtained from 1,200 America, the Middle East, and Africa). Each participant has an IT
qualified participants hailing from 17 countries (see Figure 47) security job role (see Figure 48). This year, 51% of our respondents
across six major regions (North America, Europe, Asia Pacific, Latin held CIO, CISO, or other IT security executive positions.
United States 29.2%

United Kingdom
8.3%
Colombia Germany
2.8% 6.3%
Mexico 2.8%
Brazil 2.8% 6.3% France
South Africa 4.2%

4.2% Canada
4.2%
Saudi Arabia
4.2%
4.2% Italy
Turkey 4.2%
4.2% 4.2% Spain
Singapore 4.2% 4.2% China
Australia Japan
Figure 47: Survey participation by country.
51.0% CIO, CISO, or IT security

executive
IT security / compliance auditor

3.1%
Other IT security position 4.3%
IT security architect / engineer 5.0%

21.9% IT security administrator
IT security analyst / operator / 7.3%
incident responder
7.4%
Data protection / privacy officer
Figure 48: Survey participation by IT security role.

Introduction

Appendix 1: Survey Demographics
This study addresses perceptions and insights from research More than 25,000
participants employed by commercial and government 500 – 999
9.5%
organizations with 500 to 25,000+ employees (see Figure 49). 10,000 – 25,000 18.2%
A total of 19 industries (plus “Other”) are represented in this 12.5%
year’s study (see Figure 50). The “big 7” industries – education,
finance, government, healthcare, manufacturing, retail, and
telecom and technology – accounted for nearly two-thirds of all
respondents. No single industry accounted for more than 15.1% 21.6%
5,000 – 9,999 38.3%
of participants.
1,000 – 4,999
Figure 49: Survey participation by organization employee count.
15.1%
Finance & Financial Services
15.0%
Telecom and Technology
15.0%
Manufacturing
8.2%
Retail & Consumer Durables
7.8%
Construction and Machinery
6.4%
Healthcare
6.3%
Other
4.1%
Business Support & Logistics
4.1%
Government
3.8%
Education
3.3%
Utilities, Energy, and Extraction
2.8%
Insurance
2.0%
Automotive
1.8%
Real Estate
1.4%
Advertising & Marketing
0.8%
Airlines & Aerospace
0.7%
Food & Beverages
0.6%
Entertainment & Leisure
0.6%
Agriculture
0.3%
Nonprofit
Figure 50: Survey participation by industry.

Introduction

Appendix 2: Research Methodology
CyberEdge developed a 27-question, web-based, vendor- Constructing survey questions in a way that eliminates survey
agnostic survey instrument in partnership with our research bias and minimizes the potential for survey fatigue
sponsors. The survey was promoted via email to 1,200 IT security
Only accepting completed surveys after the respondent has
professionals in 17 countries and 19 industries in November
provided answers to all of the survey questions
2021. The global survey margin of error for this research study (at
a standard 95% confidence level) is +/- 3%. All results pertaining Ensuring that respondents view the survey in their native
to individual countries and industries should be viewed as language (e.g., English, German, French, Spanish, Japanese,
anecdotal, as their sample sizes are much smaller. CyberEdge Chinese)
recommends making actionable decisions based on global data Randomizing survey responses, when possible, to prevent
only. order bias
All respondents had to meet two filter criteria: (1) they had to Adding “Don’t know” (or comparable) responses, when
have an IT security role and (2) they had to be employed by a possible, so respondents aren’t forced to guess at questions
commercial or government organization with a minimum of 500 they don’t know the answer to
global employees.
Eliminating responses from “speeders” who complete the
At CyberEdge, survey data quality is paramount. CyberEdge survey in a fraction of the median completion time
goes to extraordinary lengths to ensure its survey data is of the
Eliminating responses from “cheaters” who apply consistent
highest caliber by following these industry best practices:
patterns to their responses (e.g., A,A,A,A and A,B,C,D,A,B,C,D)
Ensuring that the “right” people are being surveyed by
Ensuring the online survey is fully tested and easy to use on
(politely) exiting respondents from the survey who don’t computers, tablets, and smartphones
meet the respondent filter criteria of the survey (e.g., job role,
job seniority, company size, industry) CyberEdge would like to thank our research sponsors for making
this annual research study possible and for sharing their IT
Ensuring that disqualified respondents (who do not meet
security knowledge and perspectives with us.
respondent filter criteria) cannot restart the survey (from the
same IP address) in an attempt to obtain the survey incentive

Introduction

Appendix 3: Research Sponsors
CyberEdge is grateful for its Platinum, Gold, and Silver sponsors, for without them this report would not be possible.
Platinum Sponsors
(ISC)2 | www.isc2.org Menlo Security | www.menlosecurity.com
(ISC)² is an international nonprofit membership association Menlo Security enables organizations to outsmart threats,
focused on inspiring a safe and secure cyber world. Best known completely eliminating attacks and fully protecting productivity
for the acclaimed Certified Information Systems Security with a one-of-a-kind, isolation-powered cloud security platform.
Professional (CISSP®) certification, (ISC)² offers a portfolio of It’s the only solution to deliver on the promise of cloud
credentials that are part of a holistic, programmatic approach to security—by providing the most secure zero-trust approach to
security. Our membership, more than 160,000 strong, is made preventing malicious attacks; by making security invisible to end
up of certified cyber, information, software and infrastructure users while they work online; and by removing the operational
security professionals who are making a difference and burden for security teams. Now organizations can offer a safe
helping to advance the industry. Our vision is supported by online experience, empowering users to work without worry
our commitment to educate and reach the public through while they keep the business moving forward.
our charitable foundation – The Center for Cyber Safety and
Education. PerimeterX | www.perimeterx.com
PerimeterX is the leading provider of solutions that detect and
Gigamon | www.gigamon.com stop the abuse of identity and account information on the web.
Gigamon helps the world’s leading organizations run fast, stay Its cloud-native solutions detect risks to your web applications
secure and innovate. We provide the industry’s first elastic and proactively manage them, freeing you to focus on growth
visibility and analytics fabric, which closes the cloud visibility and innovation. The world’s largest and most reputable websites
gap by enabling cloud tools to see the network and network and mobile applications count on PerimeterX to safeguard their
tools to see the cloud. With visibility across their entire hybrid consumers’ digital experience while disrupting the lifecycle of
cloud network, organizations can improve customer experience, web attacks.
eliminate security blind spots, and reduce cost and complexity.
Gigamon has been awarded over 125 technology patents and ThreatX | www.threatx.com
enjoys world-class customer satisfaction with more than 4,000 ThreatX’s API protection platform makes the world safer by
organizations, including over 80 percent of the Fortune 100 protecting APIs from all threats, including DDoS attempts,
and hundreds of government and educational organizations BOT attacks, API abuse, exploitations of known vulnerabilities,
worldwide. and zero-day attacks. Its multi-layered detection capabilities
accurately identify malicious actors and dynamically initiate
Imperva | www.imperva.com/ appropriate action. ThreatX effectively and efficiently protects
Imperva is a cybersecurity leader with a mission to protect data APIs for companies in every industry across the globe.
and all paths to it. We protect the data of over 6,000 global
customers from cyber attacks through all stages of their digital
transformation. Our products are informed by the Imperva
Research Lab, a global threat intelligence community, that feeds
the latest security and compliance expertise into our solutions.

Introduction

Gold Sponsors
Aqua Security | www.aquasec.com code, and cloud infrastructure to help reduce risk, ensure compliance
and simplify security. Delinea removes complexity and defines the
Aqua Security is the largest pure-play cloud native security company,
boundaries of access for thousands of customers worldwide, including
providing customers the freedom to innovate and accelerate their
over half of the Fortune 100. Our customers range from small businesses
digital transformations. The Aqua Platform is the leading Cloud Native
to the world’s largest financial institutions, intelligence agencies, and
Application Protection Platform (CNAPP) and provides prevention,
critical infrastructure companies.
detection, and response automation across the entire application
lifecycle to secure the supply chain, secure cloud infrastructure and
LookingGlass | www.lookingglasscyber.com
secure running workloads wherever they are deployed. Aqua customers
are among the world’s largest enterprises in financial services, software, LookingGlass Cyber Solutions develops cybersecurity solutions that
media, manufacturing and retail, with implementations across a broad empower organizations to meet their missions and reduce cyber risk
range of cloud providers and modern technology stacks spanning with a comprehensive view of their attack surface – outside-in and
containers, serverless functions and cloud VMs. inside-out – layered with actionable threat intelligence. By linking
the risks and vulnerabilities from an organization’s attack surface to
Attivo Networks | www.attivonetwork.com customized threat actor models, LookingGlass Cyber Solutions provides
a more accurate view of cyber risk and enables systematic definition and
Attivo Networks, the leader in identity detection and response,
deployment of mitigations to defend against the threats that matter.
delivers a superior defense for preventing privilege escalation and
lateral movement threat activity. Customers worldwide rely on the
Netsurion | www.netsurion.com
ThreatDefend Platform for unprecedented visibility to risks, attack
surface reduction, and attack detection. The portfolio provides patented Flexibility and security within the IT environment are two of the
innovative defenses at critical points of attack, including at endpoints, most important factors driving business today. Netsurion’s managed
in Active Directory, and cloud environments. Attivo has 180 awards for cybersecurity platforms enable companies to deliver on both. Netsurion
technology innovation and leadership. Managed Threat Protection combines our ISO-certified security
operations center (SOC) with our own award-winning cybersecurity
ConnectWise | www.connectwise.com platform to better predict, prevent, detect, and respond to threats
against your business. Whether you need technology with a guiding
ConnectWise is an IT software company that empowers Technology
hand or a complete outsourcing solution, Netsurion has the model to
Solution Providers to achieve success in their As-a-Service business
help drive your business forward.
with intelligent software, expert services, an immersive IT community,
and a vast ecosystem of integrations. The unmatched flexibility of
PhishLabs | www.phishlabs.com
the ConnectWise platform fuels profitable, long-term growth for our
Partners. With an innovative, integrated, and security-centric platform, PhishLabs by HelpSystems is a cyber threat intelligence company that
ConnectWise enables TSPs to drive business efficiency with business delivers Digital Risk Protection through curated threat intelligence and
automation, IT documentation, and data management capabilities. complete mitigation. Specialized teams use threat-specific technology
And increase revenue using remote monitoring, security, and backup and operations to safeguard critical digital assets and protect against
disaster recovery technologies. brand impersonation, account takeover, social media, data leakage, and
advanced email threats across the digital landscape. Developed over a
Delinea | www.delinea.com decade in partnership with the world’s leading brands and companies,
the PhishLabs Platform is the foundation of our Digital Risk Protection
Delinea is a leading provider of privileged access management (PAM)
solution, providing comprehensive collection, expert curation, and
solutions that make security seamless for the modern, hybrid enterprise.
complete mitigation of digital risks.
Our solutions empower organizations to secure critical data, devices,

Introduction

Silver Sponsors
Agari | www.agari.com patches firmware at scale, and prevents firmware-level ransomware and
implants from crippling your organization. Eclypsium serves Global 2000
Agari protects brands, customers and employees from devastating
enterprises and federal agencies, was named a Gartner Cool Vendor, and
phishing and socially engineered attacks. Using an identity-centric
is one of Fast Company’s 10 Most Innovative Security Companies.
approach that uniquely learns sender-receiver behavior, Agari builds
a model of trust that protects the workforce from inbound business
Netwrix | www.netwrix.com
email compromise, supply chain fraud, spear phishing, and account
takeover-based attacks, reducing business risk. Agari also prevents Netwrix makes data security easy thereby simplifying how professionals
spoofing of outbound email from the enterprise to customers, can control sensitive, regulated and business-critical data, regardless
increasing deliverability and preserving brand integrity. With Agari you of where it resides. More than 10,000 organizations worldwide rely on
can restore trust to your inbox. Netwrix solutions to secure sensitive data, pass compliance audits with
less effort and expense, and increase the productivity of IT and security
Binary Defense | www.binarydefense.com teams. Founded in 2006, Netwrix has earned more than 150 industry
awards and been named to both the Inc. 5000 and Deloitte Technology
Binary Defense is a managed security services provider and software
Fast 500 lists of the fastest growing companies in the U.S.
developer with proprietary cybersecurity solutions that include
SOC-as-a-Service, Managed Detection & Response, Security Information
SailPoint | www.sailpoint.com
& Event Management, Counterintelligence and Threat Hunting. Binary
Defense uses a human-driven, technology-assisted approach to provide SailPoint is the leader in identity security for the modern enterprise.
their clients with immediate protection and visibility, combating At the core of SailPoint Identity Security is artificial intelligence and
and stopping the next generation of attacks that their business machine learning. A foundation that protects organizations against
faces. Recognized as a “Leader” on The Forrester Wave: Managed cyber threats by automating the discovery, management, and control
Detection and Response, Q1 2021 report, the Ohio-based organization of ALL user access. SailPoint ensures that each identity, human or
earned high marks for threat hunting and threat intelligence. Visit nonhuman, has the right access needed to do their job – no more,
BinaryDefense.com/Forrester to learn more. no less. We meet customers where they are with an intelligent
identity solution that matches the scale, velocity and environmental
Drawbridge | www.drawbridgeco.com needs of your business. Trusted by the world’s largest, most complex
organizations.
Drawbridge is a specialized technology firm providing comprehensive
cybersecurity solutions to the financial services and alternative
Telos | www.telos.com
investment communities. Drawbridge’s unique all-in-one platform and
tech-enabled professional services provide firms with foundational, Telos Corporation empowers and protects the world’s most security-
turnkey solutions that scale as their businesses evolve. With over 800 conscious organizations with solutions for cyber, cloud, and enterprise
clients, Drawbridge has quickly become the leading provider among security. Telos’ offerings include cybersecurity solutions for IT risk
private equity firms, hedge funds, and venture capital firms. management and information security; cloud security solutions to
protect cloud-based assets and enable continuous compliance with
Eclypsium | www.eclypsium.com security standards; and enterprise security solutions for identity and
access management, secure mobility, organizational messaging, and
Eclypsium is the firmware security company. Eclypsium’s SaaS platform
network management and defense. We serve organizations in financial
identifies, verifies and fortifies firmware throughout networks and
services, healthcare, state and local government, education, and other
technology supply chains, from endpoints and servers to network
highly regulated sectors; military, civilian and intelligence of the U.S.
gear and connected devices. Eclypsium secures networks against
federal government, and allied nations around the world.
stealthy firmware attacks, provides continuous firmware monitoring,

Introduction

Appendix 4: About CyberEdge Group
Founded in 2012, CyberEdge Group is the largest research, marketing, and publishing firm to serve the IT security vendor
community. Today, approximately one in six IT security vendors (with $10 million or more in annual revenue) is a CyberEdge client.
CyberEdge’s highly acclaimed Cyberthreat Defense Report (CDR) and other single- and multi-sponsor survey reports have
garnered numerous awards and have been featured by business and technology publications alike, including The Wall Street
Journal, Forbes, Fortune, USA Today, NBC News, ABC News, SC Magazine, DarkReading, and CISO Magazine.
CyberEdge has cultivated its reputation for delivering the highest-quality survey reports, analyst reports, white papers, and
custom books and eBooks in the IT security industry. Our highly experienced, award-winning consultants have in-depth subject
matter expertise in dozens of IT security technologies, including:
Advanced Threat Protection (ATP) Patch Management
API Security Penetration Testing
Application Security Privileged Account Management (PAM)
Cloud Security Risk Management/Quantification
Data Security Secure Access Service Edge (SASE)
Deception Technology Secure Email Gateway (SEG)
DevSecOps Secure Web Gateway (SWG)
DoS/DDoS Protection Security Analytics
Endpoint Security (EDR & EPP) Security Configuration Management (SCM)
Extended Detection & Response (XDR) Security Information & Event Management (SIEM)
Firmware Security Security Orch., Automation, and Response (SOAR)
ICS/OT Security Software-defined Wide Area Network (SD-WAN)
Identity and Access Management (IAM) SSL/TLS Inspection
Intrusion Prevention System (IPS) Supply Chain Risk Management
Managed Detection & Response (MDR) Third-Party Risk Management (TPRM)
Managed Security Services Providers (MSSPs) Threat Intelligence Platforms (TIPS) & Services
Mobile Application Management (MAM) User and Entity Behavior Analytics (UEBA)
Mobile Device Management (MDM) Unified Threat Management (UTM)
Network Behavior Analysis (NBA) Virtualization Security
Network Detection & Response (NDR) Vulnerability Management (VM)
Network Forensics Web Application Firewall (WAF)
Next-generation Firewall (NGFW) Zero Trust Network Access (ZTNA)
For more information about CyberEdge and our services,

call us at 800-327-8711, email us at [email protected],
or connect to our website at www.cyber-edge.com.

Introduction

CyberEdge Acceptable Use Policy

CyberEdge Group, LLC (“CyberEdge”) encourages third-party organizations to incorporate textual and graphical elements of this
report into presentations, reports, website content, product collateral, and other marketing communications without seeking explicit
written permission from CyberEdge, provided such organizations adhere to this acceptable use policy.
The following rules apply to referencing textual and/or graphical elements of this report:
1. Report distribution. Only CyberEdge and its authorized 4. Figures and tables. Figures and tables extracted from this
research sponsors are permitted to distribute this report for report must not be modified in any way. Artwork for figures
commercial purposes. However, organizations are permitted and tables for the most recent Cyberthreat Defense Report are
to leverage the report for internal uses, including training. available for download at no charge on the CyberEdge website
at https://www.cyber-edge.com/cdr.
2. Source citations. When citing a textual and/or graphical
element from this report, you must incorporate the following 5. No implied endorsements. CyberEdge does not endorse
statement into a corresponding footnote or citation: “Source: technology vendors. Cited CyberEdge content should never
2022 Cyberthreat Defense Report, CyberEdge Group, LLC.” be used to imply favor from CyberEdge.
3. Quotes and excerpts. Quotes and excerpts extracted from If you have questions about this policy or would like to incorporate
this report must not be modified in any way. Rephrasing is content from this report in a manner not addressed by this policy,
not permitted. submit an email to [email protected].
Copyright © 2022, CyberEdge Group, LLC. All rights reserved. The CyberEdge Group name and logo are the property of CyberEdge Group, LLC.
2022 CyberthreatAllDefense Report
other company names, trademarks, and service marks are the property of their respective owners. Version 1.0 67

CyberEdge 2022 CDR Report

Uploaded by

Copyright:

Available Formats

CyberEdge 2022 CDR Report

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CyberEdge 2022 CDR Report

Uploaded by

Copyright:

Available Formats

2022 Cyberthreat Defense Report

North America | Europe | Asia Pacific | Latin America

<< Research Sponsors >>

Practices and The Survey Research Research About

2022 Cyberthreat Defense Report 2

Practices and The Survey Research Research About

CyberEdge’s annual Cyberthreat Defense Report (CDR) plays a

2022 Cyberthreat Defense Report 3

Practices and The Survey Research Research About

2022 Cyberthreat Defense Report 4

Practices and The Survey Research Research About

Section 2: Perceptions and Concerns Navigating This Report

Section 4: Practices and Strategies

2022 Cyberthreat Defense Report 5

Practices and The Survey Research Research About

Current Security Posture Current and Future Investments

2022 Cyberthreat Defense Report 6

Practices and The Survey Research Research About

Section 1: Current Security Posture

Past Frequency of Successful Cyberattacks

Not once It isn’t a matter of money: IT security budgets have continued

However, the typical organization’s attack surface continues

still substantially larger than in any of the prior seven years of

“A short summary of the cybersecurity

2022 Cyberthreat Defense Report 7

Practices and The Survey Research Research About

Section 1: Current Security Posture

Manufacturing China 86.0%

Retail 85.6% South Africa 84.0%

2022 Cyberthreat Defense Report 8

Practices and The Survey Research Research About

Section 1: Current Security Posture

Future Likelihood of Successful Cyberattacks

2022 Cyberthreat Defense Report 9

Practices and The Survey Research Research About

Section 1: Current Security Posture

Singapore 84.0% Education 84.1%

UK 83.4% Telecom & Technology 79.1%

Saudi Arabia 80.0%

Mexico 63.6% Figure 7: Percentage indicating compromise is “more likely to occur

Figure 6: Percentage indicating compromise is “more likely to occur

2022 Cyberthreat Defense Report 10

Practices and The Survey Research Research About

Section 1: Current Security Posture

Security Posture by IT Domain

Cloud applications (SaaS) 4.13

Servers (physical and virtual) 4.12

Datastores (file servers, databases, SANs) 4.11

Laptops / notebooks 4.11

Application Containers 4.09

Cloud infrastructure (IaaS, PaaS) 4.08

Application program interfaces (APIs) 4.02

Internet of Things (IoT) 4.01

Industrial control systems (ICS) / SCADA devices 4.0

Mobile devices (smartphones, tablets) 3.98

Figure 8: Perceived security posture by IT domain.

2022 Cyberthreat Defense Report 11

Practices and The Survey Research Research About

Section 1: Current Security Posture

Respondents are also confident about physical and virtual

2022 Cyberthreat Defense Report 2

2022 Cyberthreat Defense Report 3

2022 Cyberthreat Defense Report 4

2022 Cyberthreat Defense Report 5

2022 Cyberthreat Defense Report 6

2022 Cyberthreat Defense Report 7

2022 Cyberthreat Defense Report 8

2022 Cyberthreat Defense Report 9

2022 Cyberthreat Defense Report 10

2022 Cyberthreat Defense Report 11

2022 Cyberthreat Defense Report 12

2022 Cyberthreat Defense Report 13

2022 Cyberthreat Defense Report 14

2022 Cyberthreat Defense Report 15

2022 Cyberthreat Defense Report 16

2022 Cyberthreat Defense Report 17

2022 Cyberthreat Defense Report 18

2022 Cyberthreat Defense Report 19

2022 Cyberthreat Defense Report 20