2023 CDR Report Final2 Isc2

2023 Cyberthreat Defense Report
North America | Europe | Asia Pacific | Latin America

Middle East | Africa
<< Research Sponsors >>
PLATINUM
GOLD
SILVER
Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments
Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Research Highlights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Section 1: Current Security Posture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Past Frequency of Successful Cyberattacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Future Likelihood of Successful Cyberattacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Security Posture by IT Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Assessing IT Security Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
The IT Security Skills Shortage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Section 2: Perceptions and Concerns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Concern for Cyberthreats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Concern for Web and Mobile Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Responding to Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Double or More Extortion Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Barriers to Establishing Effective Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Benefits of Unified App and Data Security Defenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Hybrid Cloud Security Challenges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Benefits of Achieving IT Security Certifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Section 3: Current and Future Investments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
IT Security Budget Change. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Network Security Deployment Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Endpoint Security Deployment Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Application and Data Security Deployment Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Security Management and Operations Deployment Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Section 4: Practices and Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Technologies Playing a Role in Zero Trust Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Increasing Security Awareness Among Employees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Security Leaders Engaging with Boards of Directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Technologies Playing the Biggest Roles Against Sophisticated Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Use Cases for Extended Detection and Response (XDR). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Emerging IT Security Technologies and Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
The Road Ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Appendix 1: Survey Demographics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Appendix 2: Research Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Appendix 3: Research Sponsors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Appendix 4: About CyberEdge Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
2023 Cyberthreat Defense Report 2

Introduction

Introduction
CyberEdge’s annual Cyberthreat Defense Report (CDR) plays a

unique role in the IT security industry. Other surveys do a great Survey Demographics
job of collecting statistics on cyberattacks and data breaches
• Responses received from 1,200 qualified IT security
and exploring the techniques of cybercriminals and other bad decision makers and practitioners
actors. Our mission is to provide deep insight into the minds of
• All from organizations with more than 500 employees
IT security professionals.
• Representing 17 countries across North America,
Now in its tenth year, the CDR has become a staple among IT Europe, Asia Pacific, the Middle East, Latin America,
security leaders and practitioners by helping them gauge their and Africa
internal practices and security investments according to those • Representing 19 industries
of their counterparts across multiple countries and industries.
If you want to know what your peers in IT security are thinking
and doing, this is the place to look. 2. Our Threat Concern Index also fell. We asked our
CyberEdge would like to thank our Silver, Gold, and Platinum respondents about their level of concern with 13 types
research sponsors, whose continued support is essential to the of threats, from malware, phishing, and ransomware to
success of this report. advanced persistent threats (APTs), DDoS attacks, and supply
chain threats. Compared to last year, their level of concern
decreased in 12 of the 13 categories (all except supply chain
Top Five Insights for 2023
threats). We averaged the ratings across all 13 threats into
Our CDR reports yield dozens of actionable insights. Here are the a “Threat Concern Index.” The index fell from 3.88 in the
top five takeaways from this year’s installment: last survey to 3.82 in this one (page 18). This implies that IT
security professionals are starting to become more confident
1. Pressure on IT security teams may be easing – finally.
about their ability to defend against attacks.
The percentage of organizations compromised by at least one
successful cyberattack peaked at 86.2% in our 2021 report. But 3. Double or more extortion ransomware is real, and
after rising for years, it dipped slightly last year to 85.3%, and very common. Once “ransomware” was synonymous with
again in this report to 84.7% (see page 7). The percentage of encrypting files. Now it can involve one, two, or more threats
organizations victimized by six or more successful attacks fell on top of that, such as publicly releasing exfiltrated data and
from 40.7% to 39.2% over the last year. Finally, the percentage launching DDoS attacks to amplify pressure on the victims.
of organizations expecting to be compromised in the coming In fact, it usually does. Only 21.6% of ransomware attacks last
year dropped a substantial 4.3% since our last report, from year involved encryption alone. A second threat is involved
76.1% to 71.8% (page 9). It is too early to be certain, but it in 40.9% of attacks, while 30.4% include three threats, and
seems like we may have turned a corner. 7.2% incorporate four (page 25).
4. IT security leaders do have a seat at the table – with the

board. In organizations that have a board of directors, IT
security leaders engage with them in some fashion 97.1% of
the time. About half provide periodic cyber risk assessment
reports, and almost as many present regularly at board
meetings. More than a third share measurements of the
maturity of their security programs (page 48).

Introduction

Introduction
5. Zero trust is cropping up everywhere. Zero trust concepts Where do we have gaps in our cyberthreat defenses relative
are driving a lot of investment in technologies like multi-factor to other organizations?
authentication (MFA), endpoint detection and response (EDR),
Have we fallen behind in our defensive strategy to the point
privileged account management (PAM), and email and network
that our organization is now the “low-hanging fruit” (i.e., likely
encryption (page 44). Almost four out of five organizations
to be targeted more often due to its relative weaknesses)?
say they are using or implementing zero trust network access
(page 53). Zero trust frameworks are becoming core organizing Are we on track with both our approach and progress in
models for many IT security programs. continuing to address traditional areas of concern while
tackling the challenges of emerging threats?
About This Report How does our level of spending on IT security compare to
The CDR is the most geographically comprehensive, vendor- that of other organizations?
agnostic study of IT security decision makers and practitioners. Do other IT security practitioners think differently about
Rather than compiling cyberthreat statistics and assessing the cyberthreats and their defenses, and should we adjust our
damage caused by data breaches, the CDR surveys the perceptions perspective and plans to account for these differences?
of IT security professionals, gaining insights into how they see
Another important objective of the CDR is to provide developers
the world.
of IT security technologies and services with information they
Specifically, the CDR examines: can use to better align their solutions with the concerns and
requirements of potential customers. Our data can lead to better
The frequency of successful cyberattacks in the prior year
market traction and success for solution providers, along with
and optimism (or pessimism) about preventing further
better cyberthreat protection technologies for all the intrepid
attacks in the coming year
defenders out there.
The perceived impact of cyberthreats and the challenges
The findings of the CDR are divided into four sections:
faced in mitigating their risks
The adequacy of organizations’ security postures and their Section 1: Current Security Posture
internal security practices Our journey into the world of cyberthreat defenses begins
The organizational factors that present the most significant with respondents’ assessments of the effectiveness of their
barriers to establishing effective cyberthreat defenses organization’s investments and strategies relative to the
prevailing threat landscape. They report on the frequency of
The investments in security technologies already made successful cyberattacks, judge their organization’s security
and those planned for the coming year posture in specific IT domains and security functions, and
The health of IT security budgets and the portion of the provide details on the IT security skills shortage. The data will
overall IT budget they consume help readers begin to assess:
By revealing these details, we hope to help IT security decision Whether, to what extent, and how urgently changes are
makers and practitioners gain a better understanding of how needed in their own organization
their perceptions, concerns, priorities, and defenses stack up
Specific countermeasures that should be added to
against those of their peers around the world. IT security teams
supplement existing defenses
can use the data, analyses, and findings to shape answers to
many important questions, such as:

Introduction

Introduction
Section 2: Perceptions and Concerns using to support zero trust, how they are increasing security
In this section, our exploration of cyberthreat defenses shifts awareness among employees, and how IT security leaders are
from establishing baseline security postures to determining engaging with their board of directors. We also look at new
the types of cyberthreats and obstacles to security that most technologies that organizations are using to defend against
concern today’s organizations. The survey respondents weigh sophisticated threats and improve the performance of their
in on the most alarming cyberthreats, barriers to establishing security program.
effective defenses, and high-profile issues such as ransomware
Navigating This Report
and security for hybrid cloud environments. These appraisals
will help readers think about how their own organizations can We encourage you to read this report from cover to cover, as it’s
best improve cyberthreat defenses going forward. chock full of useful information. But there are three other ways
to navigate through this report, if you are seeking out specific
Section 3: Current and Future Investments topics of interest:
Organizations can ill afford to stand still when it comes to Table of Contents. Each item in the Table of Contents
maintaining effective cyberthreat defenses. IT security teams pertains to specific survey questions. Click on any item to
must keep pace with changes occurring in business, technology, jump to its corresponding page.
and threat landscapes. This section of the survey provides data
Research Highlights. The Research Highlights page
on the direction of IT security budgets, and on current and
showcases the most significant headlines of the report.
planned investments in network security, endpoint security,
Page numbers are referenced with each highlight so you
application and data security, and security management and
can quickly learn more.
operations. Readers will be able to compare their organization’s
investment decisions against the broad sample and get a sense Navigation tabs. The tabs at the top of each page are
of what “hot” technologies their peers are deploying. clickable, enabling you to conveniently jump to different
sections of the report.
Section 4: Practices and Strategies
Mitigating today’s cyberthreat risks takes more than investing Contact Us
in the right technologies. You must ensure those technologies
Do you have an idea for a new topic that you’d like us to address
are deployed optimally, configured correctly, and monitored
next year? Or would you like to learn how your organization can
adequately to give your organization a fighting chance to avoid
sponsor next year’s CDR? We’d love to hear from you! Drop us an
being a front-page news story. In the final section of the survey
email at [email protected].
our respondents provide information on technologies they are

Introduction

Research Highlights
Current Security Posture Respect tops money as motivation for security certifications.
Why work on IT security certifications? Knowledge, credibility,
The cybersecurity battle may have reached a turning point. and job satisfaction lead the list (page 32).
The percentage of organizations compromised by successful
attacks declined for the second year from 85.3% to 84.7%
(page 7). Current and Future Investments
Optimism about the year ahead. The percentage of security Security spending is still strong. A very solid 87.7% of
professionals who think a successful attack is likely or very likely respondents expect their IT security budget to increase this
fell 4.3%, to 71.8%, a big change from recent years (page 9). year, with average growth of 5.3% (page 34).
ICS and IoT are concerns. Among security domains, Network security workhorses. Advanced threat protection,
respondents are least confident about their ability to protect secure email gateways, and secure web gateways are the most
industrial control systems and IoT devices (page 11). frequently installed network security solutions (page 36).
IAM is good, but attack surfaces are too large. Organizations New technologies for endpoint security. Security teams are
are relatively happy with their capabilities for identity and access looking hard at deception technology and browser/internet
management, but they are not making progress in attack surface isolation to add new capabilities to their endpoint defenses
reduction (page 13). (page 38).
Security job openings are still hard to fill. Demand for Hot topics for app and data security. Most organizations
security talent vastly exceeds supply, and recent layoffs in high have invested in API gateways and protection products,
tech won’t make much difference (page 15). database firewalls, and web application firewalls (WAFs). Bot
management is on the shopping list for this year (page 40).
Perceptions and Concerns Security management and operations covers a lot of
ground. We discuss the latest “in use” and “must have” tools
Threat Concern Index declines. IT security professionals are for improving security programs (page 42).
still concerned about a lot of threats…but less concerned than
they were last year (page 17).
Practices and Strategies
Web and mobile attacks. Among web and mobile application
threats, PII harvesting, account takeover, and payment fraud Technologies supporting zero trust. MFA and EDR play
attacks continue to be most concerning (page 19). the most significant roles in zero trust initiatives, but other
technologies are almost as important (page 44).
Good and bad news on ransomware. Successful attacks are up,
ransom demands are bigger, but the percentage of organizations How do you increase security awareness? The vast majority
paying ransoms fell (page 21). of organizations are working to increase security awareness
among employees, but methods differ (page 46).
Double and triple extortion ransomware is now the norm.
More than three-quarters of ransomware attacks (78.4%) now IT meets the BOD. IT security leaders are now engaging with
include two or more threats (page 24). their board of directors in a surprising number of ways (page 48).
Shortage of skilled personal handicaps security teams. Sophisticated defenses against sophisticated threats. IT
Lack of skilled personnel is the greatest barrier to IT security teams are depending on network behavior analysis, deception
success, and low security awareness among employees is technology, and artificial intelligence (AI) to counter the most
number two (page 26). sophisticated attacks (page 50).
Gains from unified app and data security. Improving cloud Use cases for XDR. Extended detection and response solutions
security posture and enhancing incident investigation are the are helping organizations identify hidden cyberthreats, improve
biggest reasons to integrate application and data security on productivity, and accelerate incident response (page 52).
the same platform (page 28). Way past hype. Six relatively new technologies and
Hybrid cloud environments aren’t easy. Respondents list architectures are in use or being implemented by at least 70%
several challenges they face when transitioning applications of organizations (page 53).
to multiple cloud platforms (page 30).

Introduction

Section 1: Current Security Posture
Past Frequency of Successful Cyberattacks

How many times do you estimate that your organization’s global network has been compromised
by a successful cyberattack within the past 12 months?
Has the cybersecurity battle reached a turning point? It’s organizations reporting six or more successful attacks over the
too early to say for sure, but after years of losing ground, this past 12 months fell for the first time in five years, from 40.7% in
year’s CDR provides evidence that IT security professionals are the last survey to 39.2% (see Figure 1).
becoming more optimistic. Evidence of that hopeful trend starts
Those findings shouldn’t cause anyone to let down their guard.
with the first two questions of our survey, about successful
Both figures about successful attacks in the past year are the
cyberattacks in the past year and the likelihood of successful
third highest in the history of our survey, exceeding the figures
cyberattacks in 2023.
for all the years between 2014 and 2020. A large number of
While one year does not a trend make, two years sometimes organizations are being compromised multiple times (see
does. After a long upward movement, the percentage of Figure 2). But as we will see later in this report, several indicators
organizations that were compromised by at least one successful are pointing toward slightly more confidence that today’s
cyberattack fell from 86.2% two surveys ago, to 85.3% in last cybersecurity defenses can hold off the myriad cyberthreats
year’s survey, to 84.7% in this one. In addition, the portion of facing today’s commercial enterprises and government agencies.
What do we think has led to this more positive attitude? One

At least one successful attack factor is the relaxation of some of the challenges created (or at
Six or more successful attacks least heightened) by COVID-19. Relative to the peak times of the
86.2% 85.3% 84.7% pandemic, people are spending fewer days working from home,
79.2% 80.7% where they are more vulnerable, and more working in offices,
75.6% 77.2% 78.0%
where data and applications are easier to protect. Similarly,
70.5% workers are relying somewhat less on personally owned devices
(BYOD) and more on company laptops and smartphones with
61.9%
more controls.
Not once
Between 1
15.3% and 5 times
39.7% 40.7% 39.2% More than
35.2% 10 times 45.5%
32.9% 31.5%
11.8%
27.4%
22.6% 23.8%
16.2%
27.4%
Between 6 and
10 times
2014 2015 2016 2017 2018 2019 2020 2021 2022 2023
Figure 1: Percentages compromised by at least one successful attack and Figure 2: Frequency of successful cyberattacks in the last 12 months.
by six or more successful attacks.

Introduction

But of even more importance for the long term, we think

Finance 95.7%
organizations are finally seeing returns on investments made
during the pandemic. These include deploying technologies and
Telecom & Technology 88.9%
practices such as machine learning, security analytics, network
monitoring, deception, and zero trust network access. ROI also
results from efforts to improve cybersecurity awareness among Retail 85.6%
users and create closer working relationships between IT security
teams and top executives and boards of directors. We will be Healthcare 79.2%
discussing these factors throughout this report.
Education 78.9%
There are a few interesting variations in the rates of compromise
reported. Of the seven major industries surveyed for this report,
Manufacturing 77.5%
the most often victimized were finance (95.7%) and telecom
& technology (88.9%). These were followed by retail (85.6%)
and healthcare (79.2%). Things seemed to have improved in Government 74.4%
education, which declined from 90.5% in the last survey to 78.9%
in this one. The major industries compromised the least were Figure 3: Percentage compromised by at least one successful attack
in the past 12 months, by industry.
manufacturing (77.5%) and government (74.4%) (see Figure 3).
Mexico 56.3%
Australia 55.1%
“...organizations are finally seeing the return on
Germany 52.0%
investments made during the pandemic. This USA 48.6%
includes…machine learning, security analytics, Saudi Arabia 44.0%
network monitoring, deception, and zero trust UK 43.9%
network access. It also results from efforts to Spain 42.5%
improve cybersecurity awareness among users...” South Africa 40.8%
Canada 37.5%
Singapore 31.3%
Turkey 28.0%
Looking globally, there were three countries where more
China 24.0%
than half of the organizations reported six or more successful
Brazil 22.6%
cyberattacks during the year: Mexico (56.3%), Australia (55.1%),
and Germany (52.0%). In the United States, the number was just Italy 22.0%
under half (48.6%). Which countries had the fewest organizations Colombia 20.0%
with six or more successful attacks? The answer: Japan (15.6%), France 16.5%
France (16.5%), Colombia (20.0%), Italy (22.0%), Brazil (22.6%),
Japan 15.6%
and China (24.0%) (see Figure 4).
Figure 4: Percentage compromised by six or more successful attacks
in the past 12 months, by country.

Introduction

Future Likelihood of Successful Cyberattacks

What is the likelihood that your organization’s network will become compromised by a successful
cyberattack in 2023?
Somewhat or very likely 75.6% 76.1% The same pattern is evident if you look only at the percentage
Very likely 71.8% who answered “very likely.” That number rose continuously from
69.3%
19.7% in 2018 to 35.1% four years later, but declined to 32.9% in
65.2%
62.1% 61.5% 62.3% this survey. This drop shows a definite gain in confidence.
As we mentioned in the previous section, we think the

51.9% turnaround is due to a combination of factors, including fewer
days of work at home, less use of unmanaged BYOD devices, the
payoff from security investments made during the pandemic,
38.1% and increased cybersecurity awareness among users.
35.1% An interesting dynamic we have noticed every year is the

32.0% 32.9% tendency for respondents to be optimistic that the coming year
27.2% will be better than the past one. That trend carried over to this
year, with 84.7% reporting that their organization had suffered
20.4% 19.7% 21.2%
at least one successful attack the previous year (see Figure 1),
16.1%
14.0% versus the 71.8% who think it somewhat or very likely that they
8.5%
will be compromised in the 2023. But perhaps there is more
reason for optimism this year than in the past!
2014 2015 2016 2017 2018 2019 2020 2021 2022 2023
Figure 5: Percentage indicating compromise is “more likely to occur

than not” in the next 12 months.
“The idea that the cybersecurity battle has
reached a turning point after so many years
The idea that the cybersecurity battle has reached a turning of bad news is supported by respondents’
point after so many years of bad news is supported by
respondents’ perspectives on the coming year. The portion
perspectives on the coming year. The portion
saying it was somewhat or very likely that their organization saying it was somewhat or very likely that
would suffer a successful cyberattack in the year ahead grew their organization would suffer a successful
steadily from 61.5% in 2017 to 76.1% in our 2022 survey. This
cyberattack... fell 4.3% to 71.8%,
year, however, that figure fell 4.3%, a significant drop, to 71.8%.
a significant drop.”

Introduction

The respondents predicting the highest rate of successful By industry, respondents from finance are the most certain
cyberattacks were in China (86.0%), Australia (82.0%), and Saudi of successful attacks (84.5%), followed by those from retailers
Arabia (80.0%). In the middle of the pack: the United States (75.6%), telecom & technology companies (73.8%), and
(74.2%), Germany (73.3%), Canada (73.0%), Italy (72.4%), and the educational institutions (70.2%). Only around two-thirds
United Kingdom (72.2%). The optimists were in France (63.9%), of participants from manufacturers (66.7%), healthcare
South Africa (62.0%), Brazil (53.0%), and Turkey (at 46.0%, the organizations (65.7%), and government agencies (64.6%)
country with the least worried survey participants for the second are expecting to be compromised (see Figure 7).
year in a row) (see Figure 6).
China 86.0% Finance 84.5%

Australia 82.0%
Saudi Arabia 80.0% Retail 75.6%

Spain 76.0%
Japan
76.0%
Mexico 75.1%
Education 70.2%
USA 74.2%
Germany 73.3%
Manufacturing 66.7%
Canada 73.0%
Italy 72.4% Healthcare 65.7%

UK 72.2%
Singapore 71.4% Government 64.6%

Colombia 65.7%
France 63.9%
than not” in the next 12 months, by industry.
South Africa 62.0%
Brazil 53.0%
Turkey 46.0%

than not” in the next 12 months, by country.

Introduction

Security Posture by IT Domain

On a scale of 1 to 5, with 5 being highest, rate your organization’s overall security posture
(ability to defend against cyberthreats) in each of the following IT components:
Servers (physical and virtual) 4.15
Cloud infrastructure (IaaS, PaaS) 4.15
Cloud applications (SaaS) 4.14
Websites and web applications 4.08

Laptops / notebooks 4.07
Application Containers 4.06
Datastores (file servers, databases, SANs) 4.04

Network perimeter / DMZ (public web servers) 4.03
Desktops (PCs) 4.02
Application program interfaces (APIs) 4.00
Mobile devices (smartphones, tablets) 3.99
Internet of Things (IoT) 3.95
Industrial control systems (ICS) / SCADA devices 3.94
Figure 8: Perceived security posture by IT domain.
In every survey we ask security professionals to assess how well Examples of the safe getting safer? Security posture ratings
their organization is prepared to defend 13 different IT domains. rose for the top two domains in last year’s survey. The score
This year, the story seems to be that the rich are getting richer for physical and virtual servers increased from 4.12 to 4.15
and the poor are becoming poorer, or more accurately, that the (on a scale of 1 to 5, with 5 being the best overall security
safe are getting safer and the less secure are becoming even posture), and the score for SaaS cloud applications edged up
more worrying. from 4.13 to 4.14.

Introduction

But the biggest winner this year was cloud infrastructure, in the
form of infrastructure as a service (IaaS) and platform as a service
“This year, the story seems to be that the rich
(PaaS) offerings. Last survey they were in the middle of the pack,
in seventh place with a score of 4.08. This year they jumped are getting richer and the poor are becoming
into a tie for first place at 4.15. This represents a milestone for poorer. Or more accurately, that the safe are
IaaS and PaaS vendors. Security professionals now are just as
getting safer and the less secure are becoming
confident about the security of applications running on those
cloud platforms as in the security of apps running on servers in even more worrying.”
corporate data centers and offices.
Examples of the less secure becoming even more worrying? The

two IT domains at the bottom of our list are Internet of Things Two other IT domains that make security professionals nervous:
(IoT) and industrial control systems (ICS)/supervisory control and application programming interfaces (APIs) and mobile devices.
data acquisition (SCADA) devices. Ratings of the security posture
of both of these areas fell a substantial .06 since last year, to 3.95 Organizations and software vendors are releasing more cloud
and 3.94, respectively. applications made up of many modular services. These services
depend on APIs to interact with hundreds of other services.
IoT devices and industrial systems are becoming a focus of Most organizations do not have a lot of experience creating and
concern for several reasons: managing secure APIs. Threat actors have recognized that these
The astounding proliferation of internet-connected APIs represent a large and growing attack surface. No wonder
devices in offices, factories, homes, vehicles, cities, utilities, APIs are a growing area of concern!
transportation networks, etc., etc. Mobile devices continue to be a touchy area for IT organizations.
The emergence of new threats against these devices, Workers and customers want to use them for more and more
such as the Mirai botnet and the Verkada hack, from military business and personal transactions, yet these devices can’t
organizations and state-sponsored attackers as well as support the same security controls as conventional computers.
cybercriminals In addition, threat actors have realized that by compromising
mobile devices they can defeat some multifactor authentication
The success of supply chain-based attacks such as the
(MFA) solutions and gain wide access to corporate networks and
SolarWinds hack that affect hundreds of organizations
applications. We have seen a lot of progress in security tools to
at one time
protect and monitor mobile devices, but IT security professionals
Clearly this is an area where IT security professionals feel at are definitely not yet comfortable with what their organizations
risk and are hoping for better solutions from the cybersecurity have in place.
vendor community.

Introduction

Assessing IT Security Functions

On a scale of 1 to 5, with 5 being highest, rate the adequacy of your organization’s capabilities
(people and processes) in each of the following functional areas of IT security:
Identity and access management (IAM) 4.13

Application development and testing
(SDLC, DevSecOps) 4.13
Security engineering / architecture and design 4.13
Detection of rogue insiders / insider attacks 4.13
Incident investigation and response 4.12
Governance, risk, and compliance (GRC) 4.10
Detection of advanced / sophisticated threats 4.10
Cyber risk quantification and reporting 4.10
Brand protection 4.08
User security awareness / education 4.08
Third-party risk management (TPRM) 4.07

Attack surface reduction
4.03
(patch management, pen testing)
Figure 9: Perceived adequacy of functional security capabilities.
We turn our attention now to how our respondents rate the For example, many organizations think they have gotten better
adequacy of their organization’s capabilities across 12 IT security at detecting shenanigans by insiders. Detection of rogue
functions. Which ones do they think are strongest, and which insiders/insider attacks moved up from ninth on the list in the
ones might need some improvement? last survey to fourth in this one (the score rose from 4.09 to
4.13 on a scale of 1 to 5, with 5 being most capable). We believe
The scores and the rankings of most of the functional areas were
this is due to better monitoring of data and network activity
very similar to last year’s results. However, a few did move up or
(including the use of AI to detect unusual activity by employees
down on the list.
and contractors) and more-effective application of least privilege
and other zero trust principles.

Introduction

On the other hand, the assessment of governance, risk, and

compliance moved in the other direction, dropping from a
“As Wonderland’s Queen of Hearts said to Alice:
tie for first place in 2022 to a three-way tie for sixth place now
(4.14 to 4.10). We suspect that the causes of this decline have ‘Now, here, you see, it takes all the running you
less to do with any weakening of capabilities, and more to can do, to keep in the same place. If you want
do with increasing demands for better governance and risk
to get somewhere else, you must run at least
management.
twice as fast as that!’”
Two other functional areas that dropped a bit over the year:
detection of advanced/sophisticated threats (from third place
to a tie for sixth) and brand protection (from a tie for sixth to
ninth). Again, this is probably the result of new threats and rising surprising in that most of the activities that go into attack surface
expectations outpacing current capabilities. reduction, such as patch management, penetration testing,
The assessments of most of the other security functions remain and network segmentations, have been around for a long time
broadly the same as last year. Organizations are most comfortable and don’t involve any great leaps in technology or knowledge.
with their people and processes in the areas of identity and access However, it is less surprising when we think about how attack
management, application development and testing, security surfaces have expanded over the last few years with the increase
engineering, architecture and design, and the aforementioned in home and remote work, the movement of applications to
detection of rogue insiders/insider attacks (all 4.13). Incident dispersed cloud data centers, the explosion of IoT devices, and
investigation and response is only slightly behind, at 4.12. the integration of manufacturing and operational technology
(OT) into IT networks, among other developments.
At the other end of the scale, respondents were least confident
about their organization’s capabilities for brand protection (4.08), Attack surface reduction is one of those areas where you work
user security awareness/education (also 4.08), third-party risk harder and harder, but the task keeps expanding to offset your
management (4.07), and attack surface reduction (4.03). improvements. As Wonderland’s Queen of Hearts said to Alice:
“Now, here, you see, it takes all the running you can do, to keep
Is it surprising that attack surface reduction has been at the in the same place. If you want to get somewhere else, you must
bottom of this list for two years running? Yes and no. It is run at least twice as fast as that!”

Introduction

The IT Security Skills Shortage

Select the roles/areas for which your organization is currently experiencing a shortfall of skilled
IT security personnel. (Select all that apply.)
A serious shortage of skilled IT security professionals has been With that out of the way, let’s look at our data.
a theme of our survey for quite a while. In fact, for the past seven
As in most recent years, the greatest shortage is IT security
years it has been the #1 or #2 factor inhibiting organizations
administrators. Just over 40% of our respondents reported
from adequately defending themselves against cyberthreats
that their organization is currently experiencing a shortfall
(see page 26).
in that area (see Figure 10).
As this report was being written in early 2023, the news media
was detailing massive layoffs in high tech. Industry leaders 2023 2022
that have announced employee reductions of a thousand or
more include Alphabet (Google’s parent company), Amazon, IT security administrator
40.1%
Dell, IBM, Meta (the parent company of Facebook), Microsoft, 40.5%
PayPal, Salesforce, Twitter, and Zoom. So, will a flood of laid-off

tech industry employees fill the gap in the market for IT security IT security architect / 35.6%
engineer 32.4%
personnel? Almost certainly not.
First, while high tech companies are cutting staff in areas like IT security analyst / 35.5%
operator / incident
marketing, sales, product management, and human resources, responder 33.2%
most are holding onto their security professionals. Well, with the
exception of Twitter, which has jettisoned workers across the Application security tester
26.8%
board. We’ll see how that works out. 28.5%
Second, security people moving from tech companies will hardly IT security / 26.6%
make a dent in the massive shortage of skilled professionals. compliance auditor
28.6%
According to the 2022 ISC2 Cybersecurity Workforce Study,
the global cybersecurity workforce gap is about 3.4 million, 26.6%
DevSecOps engineer
including 436,080 in North America, 515,879 in Latin America, 28.0%
317,050 in Europe and the Middle East, and 2,163,468 in Asia.
(Full disclosure: ISC2 is a sponsor of this report). 25.7%
Risk/fraud analyst
24.0%
Figure 10: Cybersecurity skills shortage, by role.

Introduction

87.0% 86.6% The second and third places are held by IT security architect/
84.2% 84.8% 84.1% engineer (35.6%) and IT security analyst/operator/incident
80.9% responder (35.5%).
Demand also greatly exceeds supply for application security

testers (26.8%), IT security/compliance auditors (26.6%),
DevSecOps engineers (also 26.8%), and risk/fraud analysts
(25.7%).
2018 2019 2020 2021 2022 2023 The percentage of organizations experiencing a shortfall in
Figure 11: Percentage of organizations experiencing a shortfall of
at least one role was 86.6%, a tad higher than last year and the
skilled IT security personnel in at least one role. second highest in the history of our survey (see Figure 11).
By industry, shortages are most acute in finance (93.0%),

followed by telecom & technology (87.4%) and education
Finance 93.0% (85.5%) (see Figure 12).
Education 85.5% “...will a flood of laid off tech industry employees

fill the gap in the market for IT security personnel?
Manufacturing 84.8%
Almost certainly not.”
Retail 83.3%
Healthcare 82.2%
Government 81.2%
Figure 12: Cybersecurity skills shortage, by industry.

Introduction

Section 2: Perceptions and Concerns
Concern for Cyberthreats

On a scale of 1 to 5, with 5 being highest, rate your overall concern for each of the following
types of cyberthreats targeting your organization.
Malware (viruses, worms, Trojans) 3.96
Account takeover / credential abuse attacks 3.95
Phishing / spear-phishing attacks 3.91
Ransomware 3.90
Advanced persistent threats (APTs) / 3.83

targeted attacks
SSL-encrypted threats 3.81
Web application attacks (SQL injections,
cross-site scripting) 3.81
Attacks on brand and reputation in social media 3.79
and on the web
Denial of service (DoS/DDoS) attacks 3.77
Supply chain threats 3.75
Insider threats / data exfiltration by employees 3.75
Drive-by downloads / watering hole attacks 3.74

Zero-day attacks (against publicly
3.72
unknown vulnerabilities)
Figure 13: Relative concern for cyberthreats by type.
Here is additional evidence that IT security professionals are In fact, the scores decreased between .05 and .10 for six types
becoming more confident. Our respondents know they must of cyberthreats: malware, ransomware, attacks on brand and
remain vigilant about a wide range of cyberthreats. However, reputation, DDoS, insider threats, drive-by downloads and
compared with last year, the level of their concern decreased in watering-hole attacks, and zero-day attacks. While .05-.10
12 of 13 cyberthreat categories. The only exception was supply may not sound like much, for this type of survey it is a pretty
chain threats, which was unchanged at 3.75 (on a scale of 1 to 5, significant change in one year, and we very rarely see multiple
with 5 being the highest level of concern). items in one question moving that much.

Introduction

Each year we average these scores to create what we call our Phishing and spear phishing attacks are now in third place (3.91,
Threat Concern Index. As shown in Figure 14, this index fell from slightly down from 3.93). Humans remain the weakest link in
3.88 in the last survey, a tie for the record, to 3.82 in this one. While IT security, and a lack of security awareness among employees
that is not the largest change in the index ever, it is a notable one, remains a pressing concern, as we discuss on page 26.
especially since it breaks the rising trend of the past few years. Ransomware slipped from third place last year to (just) behind
The two cyberthreats causing the greatest concern are the phishing (3.90, down from 3.96). With all the attention given to
same as last year: malware (3.96, down from 4.01 in the previous ransomware recently, it might seem surprising that it dropped
survey) and account takeover/credential abuse attacks (3.95, a notch. Perhaps security teams are slightly more confident
down slightly from 3.97) (see Figure 13). Malware has been at the because of the investments they have been making in detecting
top of the list since 2016, no doubt because it is not only a threat ransomware and in backing up data. Or perhaps they are heartened
in itself but also a common element of many types of attacks, by governments and law enforcement agencies starting to take
including ransomware, APT, and zero-day attacks. more-aggressive actions to rein in ransomware gangs.
At the other end of the spectrum, our respondents are least

concerned about drive-by downloads/watering hole attacks
3.88 3.88
3.82
(3.74) and zero-day attacks (3.72). As a matter of fact, since the
3.79 last survey, the score for zero-day attacks decreased by .10, the
3.75
3.71
largest drop of any of the cyberthreats mentioned in this question.
We think this is the result of improvements in security tools that
3.54 3.52 monitor activities on networks and endpoints, and use machine
learning and AI to identify malicious actions early enough so that
security teams can respond to and contain exploitation.
3.26
“Here is additional evidence that IT security

professionals are becoming more confident...
Compared with last year, the level of their concern
decreased in 12 of 13 cyberthreat categories.”
2015 2016 2017 2018 2019 2020 2021 2022 2023
Figure 14: Threat Concern Index, depicting overall concern for cyberthreats.

Introduction

Concern for Web and Mobile Attacks

Which of the following attacks on your web and mobile applications are most concerning? (Select up to three.)
Personally identifiable information

(PII) harvesting 42.3%
Account takeover / 40.2%

credential stuffing attacks
Carding / payment fraud attacks 35.7%
Digital skimming / Magecart attacks 29.4%
Ad fraud 22.6%
Denial of inventory attacks 22.3%
Hoarding attacks 18.9%
Figure 15: Most-concerning web and mobile application attacks.
Web and mobile attacks are a significant threat to ecommerce concern them. The rankings were unchanged from last year. The
companies, financial institutions, and basically any organization top two, by a significant margin, are the harvesting (i.e., stealing)
that advertises or sells products on the web or through mobile of personally identifiable information (PII), cited by 42.3% of our
apps. In addition, because an unfortunate number of people respondents, and account takeover (ATO) and credential stuffing
reuse the same passwords across personal and work accounts, attacks, selected by 40.2% (see Figure 15).
some of these attacks can also be used to acquire credentials
Not surprisingly, carding and payment fraud attacks are also up
from just about any commercial or government organization.
there, named by more than a third of the IT security professionals
Starting with last year’s survey, we have asked our respondents (35.7%). The selection rate was even higher for participants from
to select the three types of web and mobile attacks that most companies in finance, retail, and entertainment and leisure.

Introduction

Denial of inventory and hoarding attacks were issues for 22.3% As you might expect, these attacks affected almost every company
and 18.9% of organizations, respectively. These are essentially in finance (97.2%) and retail (94.1%) (see Figure 17). Organizations
application-level DDoS attacks. Typically, an attacker programs in education and manufacturing were affected less often – but not
bots to go to an ecommerce site and put a large quantity of that much less often (91.1% and 86.0%, respectively).
in-demand items into shopping carts, or to go to a travel site and
temporarily lock up “inventories” of airline seats or hotel rooms.
This tactic denies the items or inventory to legitimate buyers, 97.2%
Finance
preventing sales and harming the reputation of the merchants.
The techniques has also been known to be used by scalpers who
have previously secured quantities of the items and want to Retail 94.1%
drive up the price.
We added one new category to this year’s survey: ad fraud. This Telecom & Technology 93.0%
typically involves cybercriminals setting up websites, arranging
to have advertising networks display ads on these sites, Healthcare 91.9%
manufacturing a blizzard of clicks on the ads, then collecting
per-click fees from the advertising network. The clicks can come
from botnets, people in offshore “click farms,” or techniques such Education 91.1%
as “click hijacking” (redirecting a click from a real person on a real
ad to one of the ads on the cybercriminal’s website). Ad fraud Manufacturing 86.0%
turns out to be a major concern for a non-trivial 22.6% of the
organizations in our survey.
Figure 17: Organizations affected by a web or mobile application
Responses also showed the pervasiveness of web and mobile attack, by industry.
attacks. A full 91.5% of organizations are affected by at least one
of them (see Figure 16).
Not affected
8.5% “Responses showed the pervasiveness of web
and mobile attacks. A full 91.5% of organizations
are affected by at least one of them.”
91.5% Affected
Figure 16: Organizations affected by a web or mobile application attack.

Introduction

Responding to Ransomware
If victimized by ransomware in the past 12 months, did your organization pay a ransom
(using Bitcoins or other anonymous currency) to recover data?
It’s been another very busy year in the world of ransomware. 72.7%
71.0%
In many respects, negative trends have continued to play out. 68.5%
However, the percentage of organizations that paid ransoms
actually declined, and there are other signs that the dynamics of the 62.4%
ransomware “market” might be changing. Let’s look at the details.
The percentage of organizations affected by ransomware 55.1% 56.1%

increased yet again, from 71.0% in the last survey to 72.7% in
this one, reaching a new high (see Figure 18).
We see several factors driving the continuing spread of

ransomware in recent years, most importantly: 2018 2019 2020 2021 2022 2023
Increased targeting of certain industries, such as healthcare Figure 18: Percentage of organizations victimized by ransomware.
and education. Ransomware gangs continue to refine their
methods for terrorizing these organizations, such as encrypting
patient records (interfering with life-and-death medical What might have caused this reversal? Here are some of the
procedures) and student records (creating havoc for both possibilities:
enrollment and graduation).
Organizations investing more in backup and recovery
New targets and new methods, such as attacking supply processes, giving them confidence that they could recover
chain participants (e.g., Kaseya and EMC) to compromise data from saved copies.
many downstream customers with one exploit, and
The emergence of decryption and data recovery service
developing ransomware attacks against OT and IoT devices.
providers and the development of ransomware-specific
Perfecting double and triple extortion ransomware attacks decryption tools that enable victims to decrypt data without
(which we discuss at length in conjunction with the next paying a ransom. One recent example is the release by the
question). U.S. Federal government’s Cybersecurity and Infrastructure
Continuing increases in average ransomware payments (see Security Agency (CISA) of a ransomware recovery script that
data from Coveware in Figure 19), which provide incentives counteracts the ESXiArgs ransomware.
for more ransomware activity. Some cyber insurance providers tightening their policies and
But one very important pattern may be reversing. The percentage the terms under which they will reimburse organizations for
of organizations that experienced a ransomware attack and paid ransomware payments.
the ransom declined 3.2%, from 62.9% to 59.7% (see Figure 20). Laws and regulations prohibiting ransom payments under
Before this year, the percentage grew steadily from 38.7% in 2018 certain circumstances.
to 62.9% last year, with only one small (0.7%) annual decrease in
that period.

Introduction

$408,644
$322,168
$258,143
$233,817 $228,125
$220,298 $211,529
$178,254
$154,108
$111,605 $136,571 $139,739
Q1'20 Q2'20 Q3'20 Q4'20 Q1'21 Q2'21 Q3'21 Q4'21 Q1’22 Q2’22 Q3’22 Q4’22
Figure 19: Average ransom payments, by quarter (data source: Coveware Quarterly Ransomware Reports).
Legal and regulatory issues are becoming especially important terrorist activities “may be held civilly liable even if it did not
for some organizations. Law enforcement agencies have been know or have reason to know it was engaging in a transaction
discouraging ransomware payments for some time, on the with a person that is prohibited under sanctions laws and
grounds that they fund criminal activity and encourage more regulations administered by OFAC.” The same applies to
attacks. Now they are going even farther. “Companies that facilitate ransomware payments to cyber
actors on behalf of victims, including financial institutions,
For example, an advisory from the U.S. Treasury Department’s
cyber insurance firms, and companies involved in digital forensics
Office of Foreign Assets Control (OFAC), issued in 2020 and
and incident response [emphasis added].”
updated in 2021, warns that an organization that pays ransom
to an entity that has been sanctioned by OFAC for criminal or Meanwhile, authorities in the European Union and United
Kingdom have made forceful statements against paying
ransoms, and the EU Networks & Information Systems Directive
62.9% (NIS Directive) gives EU members the right to impose fines on
57.7% 57.0% 59.7%
ransom payers.
45.0% Are these statements just a bluff from anxious bureaucrats? We are
not aware of any case being brought against ransomware payers,
38.7%
but there certainly have been cases involving companies paying
conventional ransoms to sanctioned terrorist organizations.
In short, while companies victimized by ransomware continue to

face very unpleasant decisions about whether to pay or not pay,
2018 2019 2020 2021 2022 2023
the pressures against paying have become stronger and may be
Figure 20: Percentage of victimized organizations paying ransoms. reversing the trend to give in.

Introduction

Back to our data. Among major industries, the ranking was exactly the same as last
year (see Figure 22). The most frequently victimized were finance,
The percentage of organizations that elected to pay ransoms
telecom & technology, and education (88.6%, 80.0%, and 75.4%,
and did recover their data rose slightly from 72.2% to 72.7%
respectively). The least affected were healthcare (58.9%) and
(see Figure 21). The high percentage reflects the incentive for
government (49.0%).
ransomware gangs to deliver on their promises to encourage
future victims to pay up. As shown in Figure 23, the countries experiencing the most
ransomware attacks were Germany (81.1%), Saudi Arabia
(80.0%), China (also 80.0%), Spain (79.2%), and the United States
71.6% 72.2% 72.7% (75.6%). Brazil (64.7%), France (63.5%), Canada (62.5%), and
66.8%
Japan (53.1%) were the most fortunate.
61.2%
49.4%
Germany 81.1%
Saudi Arabia 80.0%
China 80.0%
Spain 79.2%
2018 2019 2020 2021 2022 2023
USA 75.6%
Figure 21: Percentage of ransom payers that recovered data. South Africa 75.5%
UK 74.7%
Mexico 72.7%
Colombia 71.0%
Finance 88.6%
Turkey 70.8%
Singapore 70.8%
Australia 69.4%
Education 75.4% Italy 68.0%
Brazil 64.7%
Retail 70.9% France 63.5%
Canada 62.5%
Manufacturing 62.0%
Japan 53.1%
Healthcare 58.9% Figure 23: Percentage of organizations victimized by ransomware

in the last 12 months, by country.
Government 49.0%
Figure 22: Percentage of organizations victimized by ransomware

in the last 12 months, by industry.

Introduction

Double or More Extortion Ransomware

If victimized by ransomware in the past 12 months, which of the following threats did the attacker make
in addition to encrypting your data and/or systems if your organization failed to pay the ransom?
One of the most important developments in ransomware is Attention!!!

the widespread adoption of double, triple, and even quadruple
Send money within 3 days, otherwise we will expose some data and raise the price
extortion varieties.
Don’t try to decrypt important files, it may damage your files
Until recently, ransomware was defined as malware that
Don’t trust who can decrypt, they are liars, no one can decrypt without key file
encrypted files on a computer and displayed a message
demanding a payment in return for a key to decrypt the files. If you don’t send bitcoins, we will notify your customers of the data breach by email
Now that definition is almost quaint. While there are still a And sell your data to your opponents or criminals, data may be made release
significant number of “ransomware classic” attacks, there are
many more that involve one, two, or even three threats on top of Figure 24: Excerpt from a triple extortion ransomware attack
losing your data. Most of these involve exfiltrating copies of files threatening encryption, customer notification, and release of data.
to a server controlled by the attacker before the original files are
encrypted on the target computers (see Figure 24 for an example 41.9%
of a “triple extortion” ransom demand). 41.5%
How many attacks involve more than one threat, and what 39.8%
threats are most common? That’s exactly what we wanted to
know. So we asked respondents whose organization had been
victimized by ransomware whether the attack included any of
three additional threats:
To release exfiltrated data (allowing it to fall into the hands

of cybercriminals and others) Threatened to Threatened to notify Threatened to commit
publicly release your customers or the a DDoS attack against
To notify customers and the media of the breach (potentially exfiltrated data media of data breach the organization
undermining trust in the organization)
Figure 25: Threats made in ransomware attacks in addition to losing
To commit a DDoS attack against the organization (applying encrypted data.
additional pressure to pay the ransom quickly rather than
dragging out negotiations)
The results are shown in Figure 25. About two out of five
ransomware attacks (39.8%) included a threat to release data
“While there are still a significant number of
publicly. Slightly more included threats to notify customers or ‘ransomware classic’ attacks, there are many
the media of the data breach (41.5%) or apply pressure through more that involve one, two, or even three threats
a DDoS attack (41.9%).
on top of losing your data.”

Introduction

Inquiring minds also want to know how many attacks are still You can see the answers in Figure 26. Only 21.6% of the reported
the plain vanilla, you-will-lose-your-data variety, and how many attacks were ransomware classic threats of losing encrypted data.
qualify as double extortion, triple extortion, and even quadruple The sweet spots for ransomware gangs were clearly one additional
extortion attacks. threat (40.9%) or two additional threats (30.4%). Three additional
threats on top of encryption were relatively rare: only 7.2%. Which
is good, because “quadruple extortion ransomware” sounds more
7.2% like a difficult figure skating jump than a cyber menace.
30.4%
Plus three additional threats “Three additional threats on top of encryption
Plus two additional threats were relatively rare: only 7.2%. Which is good,
Plus one additional threat because ‘quadruple extortion ransomware’
40.9% Lose encrypted data (only) sounds more like a difficult figure skating jump
than a cyber menace.”
21.6%
Figure 26: Number of threats made as part of a ransomware attack.

Introduction

Barriers to Establishing Effective Defenses

On a scale of 1 to 5, with 5 being highest, rate how each of the following inhibit your organization
from adequately defending itself against cyberthreats.
Lack of skilled personnel 3.66
Low security awareness among employees 3.63
Too much data to analyze 3.63

Poor/insufficient automation of threat 3.61
detection and response processes
Lack of effective solutions available in the market 3.58
Poor integration/interoperability between
3.57
security solutions
Lack of management support/awareness 3.56
Lack of budget 3.56
Lack of contextual information from security tools 3.54
Too many false positives 3.50
Figure 27: Inhibitors to establishing effective cyberthreat defenses.
We all know that it is important to set goals. But once you have Low security awareness among employees tied for second place ,
a goal, often the next question is, “What is preventing us from at 3.63. It has been in the first or second position for several years.
reaching it?” Since one of the fundamental goals of IT security If you are interested in this topic, skip to page 46 to see what
professionals is defending against cyberthreats, we asked our training organizations are offering to improve security awareness.
respondents what factors are inhibiting their organization from
The other factor in this second-place tie, too much data to
reaching that objective.
analyze, moved up from fifth place in the previous survey. This
Figure 27 shows that the biggest inhibitor this year is, once again, is an example of too much of a good thing. Network monitoring
lack of skilled personnel, with a score of 3.66 (on a scale of 1 to 5, tools, database monitoring tools, EDR solutions, and various
with five highest). In fact, you have to go back to our 2017 edition types of firewalls and gateways are spitting out unprecedented
to find a year when lack of skilled personnel was not first or quantities of security data, telemetry, risk signals, indicators of
second. As we saw on page 16, all but a mere 14% of organizations compromise (IoCs), and what have you. A lot of security teams
have a hiring shortfall in at least one cybersecurity job category. are feeling overwhelmed.

Introduction

It’s encouraging to see that poor integration/interoperability

between security solutions dropped from third place in 2022 to
“It’s encouraging to see that poor integration/
sixth place now. Today, security vendors are offering more and
better integrations between their products and other technologies interoperability between security solutions
in the security infrastructure. dropped from third place in 2022 to sixth place
It’s interesting to note which barriers to effective defenses are of now. Today, security vendors are offering
relatively less concern to our respondents. Lack of management more and better integrations between their
support and lack of budget are both near the bottom of this list.
products and other technologies in the
We think this reflects both the increased visibility of IT security to
top management, and the fact that IT security leaders now are security infrastructure.”
interacting with executives and boards of directors on a regular
basis (see page 48).
The bottom two factors in this survey are lack of contextual 3.65 3.64
information from security tools and too many false positives. Why 3.58
3.53
should that be? Most likely the increasing use of security analytics
3.41
and tools with AI capabilities is automating the work involved in 3.37
correlating data from different sources and triaging alerts.
3.18 3.19
Now back to a theme that has been cropping up again and
again in our data. The rating for every one of the 10 “inhibitors” 2.99
2.94
included in this question declined between the last survey and
this one. And when we average those ratings to calculate our
“Security Concern Index,” we see that number fall from 3.65 two
years ago and 3.64 last year to 3.58 this year (see Figure 28). That’s
another clue that the tide may be turning in favor of IT security
professionals feeling more confident.
2014 2015 2016 2017 2018 2019 2020 2021 2022 2023
Figure 28: Security Concern Index, depicting the average rating of

security inhibitors.

Introduction

Benefits of Unified App and Data Security Defenses

Which of the following have been the biggest benefits of leveraging a unified platform for application and
data security defenses (e.g., WAF, DDoS protection, RASP, API security, data risk analytics, database security)?
(Select up to three.)
Improved cloud security posture 49.1%
Enhanced security incident investigations 46.1%
Simplified security rules management 43.7%
Improved customer support experience 40.8%
Fewer third-party integrations to manage 34.2%
Figure 29: Benefits achieved by unifying application and data security defenses.
When looking at the data from the previous question, we noted

that poor integration/interoperability between security solutions
is becoming less of a challenge for IT security professionals. Part of
“The benefit most often mentioned is improved
that improvement comes from security vendors integrating their cloud security posture... As organizations migrate
products with each other, and part from vendors integrating more more workloads to the cloud, keeping them safe
technologies within their own solutions.
becomes a higher priority and a bigger challenge.
In this question we look at an example of the latter: vendors Unifying related security technologies in a single
providing a unified platform for application and data security
platform can pay big dividends.”
defenses such as WAFs, DDoS protection, runtime application
self-protection (RASP), API security, risk analytics, and database
security. What are the biggest benefits of leveraging an integrating
offering in this space?

Introduction

The benefit most often mentioned is improved cloud security What major industries are making the most use of unified platforms
posture, cited by 49.1% of our respondents (see Figure 29). As for application and data security? The adoption rate is 95% or above
organizations migrate more workloads to the cloud, keeping in telecom & technology, retail, and finance (see Figure 30).
them safe becomes a higher priority and a bigger challenge.
Unifying related security technologies in a single platform can
pay big dividends.
Another benefit, mentioned almost as often (46.1%), is enhanced
security incident investigation. Fast, accurate incident response is Retail 98.4%
obviously another key goal of IT security teams. Unified platforms
take a lot of the work and delay out of assembling and analyzing Finance 95.0%
contextual data to identify, contain, and reconstruct attacks.
Following close behind are simplified security rules management Manufacturing 94.9%
(43.7%) and improved customer support experience (40.8%),
showing that the advantages of integrated security technologies Healthcare 93.2%
extend to security architects and administrators and to customer
support staffs. Government 90.6%
Education 87.8%
Figure 30: Organizations that have implemented a unified platform for

application and data security, by industry.

Introduction

Hybrid Cloud Security Challenges

Which of the following hybrid cloud security challenges are most concerning? (Select up to three.)
Detecting unauthorized application usage

(i.e., shadow IT), including torrent and 47.2%
crypto-mining
Detecting and responding to cyberthreats 42.5%
Accessing and inspecting

36.2%
multi-cloud traffic
Maintaining regulatory compliance 31.3%
Accessing and inspecting container traffic 31.0%
Meeting internal service level 28.2%

objectives (SLOs)
Figure 31: Most concerning hybrid cloud security challenges.
Transitioning all your applications to one cloud platform can Which hybrid cloud security challenges are most concerning?
simplify your life. Someone else (the cloud platform provider) We’re glad you asked.
takes care of deploying and managing the infrastructure!
As shown in Figure 31, respondents from almost half of all
But the vast majority of organizations today (96%, according to organizations (47.2%) surveyed are very worried about detecting
our survey) work in some kind of hybrid cloud environment. That unauthorized application usage. They need to cope with
means applications are spread across data centers and private departments that contract directly for cloud resources and
clouds, as well as public cloud platforms hosted by Amazon, services without informing IT, creating “shadow IT” activities
Microsoft, Google, Alibaba, IBM, and others. This complexity without proper controls. They know that tech-savvy employees
creates a host of challenges for IT security teams. are using encryption and specialized protocols to exchange

Introduction

files and view suspicious sites on the dark web without being
monitored. They have seen dedicated gamers tie up a lot of
“The vast majority of organizations today computing power without authorization. And they need to guard
(96%, according to our survey) work in some against unscrupulous employees who appropriate computing
kind of hybrid cloud environment. That means resources to mine cryptocurrencies or to run personal businesses
on the side.
applications are spread across data centers
and private clouds, as well as public cloud Next, 42.5% of survey respondents are concerned about their
ability to detect and respond to cyberthreats. Some types of
platforms... This complexity creates a host
threats can only be detected by correlating data from across
of challenges for IT security teams.” the enterprise – which is very hard to do in a hybrid cloud
environment. Although cloud service providers are now offering
very good security and network monitoring tools, most of them
only cover the environment managed by that service provider.
Other significant challenges include accessing and assessing

multi-cloud network traffic (36.2%), maintaining regulatory
compliance (31.3%), and accessing and inspecting container
traffic (31.0%).

Introduction

Benefits of Achieving IT Security Certifications

Which of the following benefits have you experienced as a result of achieving one or more IT security
professional certifications?
Expanded knowledge of my chosen 49.3%

IT security profession
Increased credibility and respect 47.7%
Improved job satisfaction 44.6%
Increased opportunities for employment 42.8%

and/or advancement
Increased compensation 36.0%
Figure 32: Benefits experienced as a result of achieving one or more IT security professional certifications.
IT security professionals clearly see a lot of value in studying for That’s not to say that IT security professionals behave entirely out
and obtaining certifications. But we wondered to what degree of a sense of selfless altruism. Almost 43% mentioned the value
achieving IT security professional certification is motivated by of certifications for employment and advancement, and 36.0%
the promise of job advancement and higher compensation, a said certification helped increase their compensation.
desire for more knowledge, or other factors.
Well, according to our respondents, the biggest drivers are

related to self-esteem, not material gain. As shown in Figure 32,
“As a headline appearing some years ago
the two benefits cited most often are expanded knowledge of
IT security (49.3%) and increased credibility and respect (47.7%). on the website of the Association for
Psychological Science said: ‘Respect Matters
Third place on this list went to another non-material reward:
improved job satisfaction (44.6%). More Than Money for Happiness in Life.’”

Introduction

Still, it’s reassuring that the guardians of IT security take at least The data shows some interesting differences between countries.
as much pleasure in improving their skills and being recognized As you can see from Table 1, expanded knowledge was the
for their work as they do in getting raises. That preference may benefit selected most often in eight of the countries in the
not be as rare as we think. And there is scientific research behind survey. Increased credibility and respect was at the top in five
it: the website of the Association for Psychological Science countries, improved job satisfaction led in one, and increased
stated: “Respect Matters More Than Money for Happiness in Life.” opportunities for employment and advancement was at the
(You can read that report at https://www.psychologicalscience. head of the list in three.
org/news/releases/respect-from-friends-matters-more-than-
One more finding from the survey: of the respondents who
money-for-happiness-in-life.html.)
don’t currently have an IT security professional certification,
It is interesting to note that the ranking of these factors has been almost two-thirds plan to pursue one.
stable over time. We last asked this question in the 2020 Cyberthreat
Defense Report, and the benefits of IT security certifications were
listed in exactly the same order then as they are now.
Increased
Expanded knowledge of my chosen Increased credibility Improved job opportunities for
IT security profession and respect satisfaction employment and/
or advancement
Canada
Australia Singapore
China Brazil
France South Africa
Colombia Spain Germany
Japan UK
Italy Turkey
Mexico USA
Saudi Arabia
Table 1: Benefit experienced most often as a result of achieving IT security professional certifications, by country.

Introduction

Section 3: Current and Future Investments
IT Security Budget Change

Do you expect your employer’s overall IT security budget to increase or decrease in 2023?
Our survey paints a positive financial picture for IT security Increase by 10% or more
groups in 2023. The percentage of organizations whose budgets Increase by 5% – 9%
increased reached a new record of 87.7% (see Figure 33). In Increase by less than 5%
addition, as shown in Figure 34, the size of the average increase
reached a new high, 5.3%, compared with 4.6% last year. 15.5%
16.4%
13.8%
87.7%
85.4%
83.5% 83.2%
78.7% 42.3% 45.8% 55.3%
77.8%
21.7% 21.0% 16.9%
2021 2022 2023
Figure 35: Breakdown of annual increase in IT security budgets by size

of increase.
These increases reflect greater management awareness of the

2018 2019 2020 2021 2022 2023 importance of strong defenses and rapid response. Another
factor may be management’s realization that international
Figure 33: Percentage of organizations with rising security budgets. conflicts and rivalries could prompt malicious state-sponsored
hackers to seek to disrupt commercial and government
5.3% organizations of all types and sizes. On the positive side,
4.9% 5.0% increased spending may also reflect the success of IT leadership
4.7% 4.6% in communicating cybersecurity issues with top executives and
boards of directors (see page 48).
4.0%
Figure 35 breaks down the data for organizations expecting an
increase. The sweet spot continues to be budget increases in the
5%-9% range. More than half of all organizations (55.3%) fell in
that range. Only 15.5% are enjoying increases of 10% or more,
while 16.9% are getting increases of less than 5%.
2018 2019 2020 2021 2022 2023
Figure 34: Mean annual increase of IT security budgets.

Introduction

Brazil 7.7% Of course, not everyone is seeing their budget go up: 7.4% of
Turkey
budgets are staying about the same and 4.9% are decreasing.
7.1%
South Africa 6.7% Which brings us to a big caveat. This information is based on
Colombia 6.5% 2023 budgets as they were being formulated at the end of 2022.
Saudi Arabia 6.4%
If a recession materializes in 2023, or even if top management
simply becomes more cautious about expenses, these budgets
Singapore 6.1%
could be cut during the year. We will have to wait and see.
China 5.9%
Mexico
Meanwhile, Figure 36 shows budgets increases by country. The
5.9%
averages range from around 7% at the top, for Brazil, Turkey, and
Australia 5.7%
South Africa; to the 4%-5% range at the bottom, for Germany,
UK 5.5% Italy, the United States, Japan, and Canada.
Spain 5.4%
The average increase for major industries is shown in Figure
France 5.4%
37. Finance and manufacturing are seeing the biggest average
Germany 4.8% increases (6.0% and 5.9%, respectively), and telecom &
Italy 4.7% technology and education the lowest (4.7% and 4.6%).
USA 4.6%
Japan 4.4%
Canada 3.9% Finance 6.0%
Figure 36: Mean security budget increase, by country.

Manufacturing 5.9%
Retail 5.5%
“Our survey paints a positive financial picture Healthcare 5.3%

for IT security groups in 2023. The percentage
of organizations whose budgets increased Government 5.0%
reached a new record of 87.7%.”

Education 4.6%
Figure 37: Mean security budget increase, by industry.

Introduction

Network Security Deployment Status

Which of the following network security technologies are currently in use or planned for acquisition
(within 12 months) by your organization?
Planned for
Currently in use No plans
acquisition
Advanced threat prevention (sandboxing, ML/AI) 56.8% 32.2% 11.0%
Secure email gateway (SEG) 55.6% 31.8% 12.6%
Secure web gateway (SWG) 53.6% 35.4% 11.0%
Intrusion detection / prevention system (IDS/IPS) 53.1% 32.9% 14.0%
SSL/TLS decryption appliances / platform 51.3% 36.4% 12.3%
Data loss / leak prevention (DLP) 51.2% 38.6% 10.2%
Network access control (NAC) 50.9% 36.3% 12.8%
Denial of service (DoS/DDoS) prevention 48.1% 39.6% 12.3%
Network behavior analysis (NBA) / NetFlow analysis 45.2% 37.5% 17.3%
Next-generation firewall (NGFW) 42.1% 43.6% 14.3%
Deception technology / distributed honeypots 39.0% 39.9% 21.1%
Table 2: Network security technologies in use and planned for acquisition.
Network security has always been a core element of IT security. So what network security solutions are the workhorses and
In fact, until a few years ago, it seemed like most of IT security must-haves of IT security groups today? Which up-and-coming
centered on keeping bad stuff outside of the network perimeter technologies are your peers planning to acquire and deploy?
with firewalls, secure gateways, intrusion detection products,
Since we first asked those questions in the 2015 CDR, the
antimalware solutions, etc., and keeping confidential stuff from
network security solution most often in use has been advanced
leaking from inside the network perimeter, with technologies
threat prevention or one of its predecessor technologies, such
such as data loss prevention (DLP).
as network antivirus. That remains true today, with advanced
Today we are adapting to a perimeterless, zero trust, “assume you threat prevention deployed in 56.8% of organizations (see Table
have been breached” world. But that doesn’t mean that network 2). While earlier versions of this solution focused on identifying
security is any less important. On the contrary, it means you malware signatures, current products typically combine
must inspect and filter the packets flowing within your corporate signature recognition with sandboxing, AI-based pattern
network as well as the traffic entering and leaving your premises. recognition and analysis, and other advanced technologies.

Introduction

The “Planned for Acquisition” category was led by next-generation

firewalls (NGFWs). A significant 43.6% of organizations are planning
“Today we are adapting to a perimeterless, zero
to invest in one this year, either as a new technology or to replace
trust, ‘assume you have been breached’ world. an older NGFW product currently in use.
But that doesn’t mean that network security is
Another leader in planned investment (39.9%) is deception
any less important. On the contrary, it means technology and distributed honeypots. We expect to see many
you must inspect and filter the packets flowing deception solutions deployed in the next few years. Not only
do they divert attackers away from real targets, but they also
within your corporate network as well as the
help security teams understand and defend against the tactics,
traffic entering and leaving your premises.” techniques, and procedures (TTPs) of active threat actors.
Finally, denial of service (DoS/DDoS) prevention solutions are

planned for acquisition in 39.6% of the organizations. This is an
Other network security solutions have moved up in the world. Over area where defenses need to be upgraded regularly to account
the past two years, secure email gateway (SEG) and secure web for new techniques (Memcached DDoS attacks, anyone?) and
gateway (SWG) have advanced from the number 3 and number ever-increasing volumes. Also, the emergence of DDoS attacks
7 positions to numbers 2 and 3, deployed in 55.6% and 53.6% of as elements in ransomware campaigns (see page 24) may be
organizations, respectively. prompting organizations to improve their defenses against this
menace.
Four other network security technologies are in use in at least half of
all organizations: intrusion detection/prevention systems (IDS/IPS) Next: endpoint security technologies in use and planned for
at 53.1%, SSL/TLS decryption at 51.3%, data loss (or leak) prevention acquisition (page 38).
(DLP) at 51.2%, and network access control (NAC) at 50.9%.

Introduction

Endpoint Security Deployment Status

Which of the following endpoint security technologies are currently in use or planned for acquisition
(within 12 months) by your organization?
Planned for
acquisition
Basic anti-virus / anti-malware (threat signatures) 72.6% 22.2% 5.2%
Data loss / leak prevention (DLP) 56.1% 32.4% 11.5%
Endpoint detection and response (EDR) 54.5% 34.3% 11.2%
EPP / Advanced anti-virus / anti-malware (machine
52.8% 36.9% 10.3%
learning, behavior monitoring, sandboxing)
Disk encryption 51.4% 36.7% 11.9%
Browser or Internet isolation / micro-virtualization 50.9% 39.1% 10.0%
Digital forensics / incident resolution 48.8% 36.4% 14.8%
Deception technology / honeypot 41.4% 43.2% 15.4%
Table 3: Endpoint security technologies in use and planned for acquisition.
Table 3 shows deployments and plans for endpoint security The second and third most often installed endpoint security
technologies. As you may have noticed, darker shades of blue technologies, DLP and EDR, remain the same, although their
indicate a higher frequency of adoption and more frequent plans order has switched.
for acquisition, and lighter shades the opposite.
Data loss (or leak) prevention (DLP) is currently in use at 56.1%
Basic anti-virus/anti-malware technology (that is, a product that of organizations, showing that it is an established workhorse.
focuses on identifying malware using threat signatures) remains Clearly, there is a lot of benefit in stopping end users from
by far the #1 endpoint security technology, installed in 72.6% of emailing or transferring documents or files that contain sensitive
organizations. This is a good example of a product category that information, and most DLP products today can even flag or
is not considered hot, but still serves an important purpose. Those block outgoing text strings that contain keywords related to
thousands of malware variants are still out there in the wild! confidential data.

Introduction

Endpoint detection and response (EDR) products are also in What endpoint security technologies are planned for acquisition
widespread use (54.5% of organizations). They alert security this year? The leaders are deception technology/honeypot
teams to IoCs on endpoints and help block malicious activities (planned at 43.2% of organizations) and browser or internet
there. EDR products are seen as playing an important role in zero isolation (39.1%).
trust security frameworks (see page 44). Also, they are now being
Now let’s see what your peers think about application and data
integrated with other security solutions to create extended
security solutions (page 40).
detection and response (XDR) solutions that are relevant for
many use cases and offer a wide range of benefits (see our
discussion of this topic on page 52).
Other technologies in use in half of organizations are endpoint “What endpoint security technologies are
protection platforms (EPP), disk encryption, and browser or
planned for acquisition this year? The leaders
internet isolation solutions (52.1%, 51.4%, and 50.9%, respectively).
EPP solutions are cousins of EDR but have additional remediation are deception technology/honeypot
capabilities. Disk encryption is, of course, a longstanding best (planned at 43.2% of organizations) and
practice for endpoints that contain sensitive information. And as
browser or internet isolation (39.1%).”
we will discuss on page 51, browser or internet isolation solutions
allow users to visit websites and open emails and documents
without giving threat actors access to their workstations or
smartphones.

Introduction

Application and Data Security Deployment Status

Which of the following application- and data-centric security technologies are currently
in use or planned for acquisition (within 12 months) by your organization?
Planned for
acquisition
API gateway / protection 60.6% 30.9% 8.5%
Database firewall 60.1% 29.0% 10.9%
Web application firewall (WAF) 55.4% 35.8% 8.8%
Database activity monitoring (DAM) 51.7% 36.1% 12.2%
Application container security tools/platform 50.8% 40.1% 9.1%
Cloud access security broker (CASB) 50.2% 35.4% 14.4%
Application delivery controller (ADC) 50.2% 33.7% 16.1%
Runtime application self-protection (RASP) 49.3% 35.8% 14.9%
File integrity / activity monitoring (FIM/FAM) 46.4% 39.9% 13.7%
Third party code analysis 45.1% 35.3% 19.6%
Static/dynamic/interactive application security testing
44.6% 41.2% 14.2%
(SAST/DAST/IAST)
Bot management 35.9% 43.6% 20.5%
Table 4: Application and data security technologies in use and planned for acquisition.
There are two must-haves in the application and data security organizations move to modular, services-based cloud applications
category: API gateway/protection and database firewall whose access is typically routed through APIs, security teams
(see Table 4). need tools to detect and respond to attacks targeting those APIs.
API gateway/protection is the application and data security solution Database firewalls have moved up to the second position in this
installed in the largest percentage of organizations (60.6%), and category (in use in 60.1% of organizations), after occupying third
is the leader for the fourth year running. API gateways enforce place for the past two years. They are among the few application
authorization and encryption policies and limit the impact of DDoS and data security solutions whose installations increased in
attacks. API protection solutions go even farther. They can map an the past two years, rising from 58.1% to 60.1%. This increase is
organization’s attack surface to uncover rogue and forgotten APIs, consistent with the trend of protecting data where it resides rather
track and analyze attacker behaviors, and correlate API-related than trying to block attacks at the enterprise perimeter.
data across hybrid- and multi-cloud environments. As more

Introduction

Bot management is not installed as often as the other applications

in this sector, but new deployments are coming. It is the leader
in planned acquisitions, at 43.6%. Controlling traffic from bots is
“API gateway/protection is the application
a priority because of their use in ransomware, spam, and DDoS and data security solution installed in the
attacks and other threats. largest percentage of organizations (60.6%),
Application security testing (SAST/DAST/IAST) is in second place and is the leader for the fourth year running.”
in planned acquisitions, at 41.2%. Agile organizations are
committed to developing software faster, but know they need
more automated testing to make this safe.
Application container security tools/platforms has the distinction Last, but not least, we turn to our final table in this survey
of being near the top of both currently in use (50.8%) and planned for data on current use and planned acquisition of security
for acquisition (40.1%) lists. This reflects the increasing use of management and operations technologies (page 42).
container technology for cloud-based applications.

Introduction

Security Management and Operations Deployment Status

Which of the following application- and data-centric security technologies are currently
in use or planned for acquisition (within 12 months) by your organization?
Planned for
acquisition
Active Directory protection 61.6% 28.9% 9.5%
Cyber risk quantification/scorecard 54.6% 32.4% 13.0%
Security configuration management (SCM) 52.6% 33.8% 13.6%
Patch management 50.5% 34.3% 15.2%
Advanced security analytics (e.g., with machine learning, AI) 49.6% 41.1% 9.3%
Security information and event management (SIEM) 48.8% 38.3% 12.9%
Vulnerability assessment/management (VA/VM) 48.5% 40.3% 11.2%
Security orchestration, automation and response (SOAR) 47.8% 36.9% 15.3%
Penetration testing / attack simulation software 46.7% 39.0% 14.3%
Threat intelligence platform (TIP) or service 45.8% 40.0% 14.2%
User and entity behavior analytics (UEBA) 44.1% 37.1% 18.8%
Full-packet capture and analysis 41.6% 43.5% 14.9%
Table 5: Security management and operations technologies in use and planned for acquisition.
Our Security Management and Operations category covers a As it happens, the four solutions most often in use this year are
lot of ground. It includes technologies related to basic security exactly the same four, and in the same order, as last year.
hygiene (vulnerability assessment and patch management), to
Leading the list is Active Directory protection, in use at 61.6%
automating IT security activities (SOAR and SCM), to collecting
of organizations. Security teams need to prevent identity
and analyzing security data (SIEM, UEBA, and advanced
information in Active Directory from being stolen or used by
security analytics), and to other activities that strengthen an
attackers practicing privilege escalation. It is also useful for
organization’s security program (cyber risk quantification, Active
finding and fixing accounts that are special targets of threat
Directory protection, and threat intelligence) (see Table 5).
actors, such as accounts that are over-permissioned or no longer
used by a legitimate employee or contractor.

Introduction

Cyber risk quantification tools and risk scorecards are also

popular, deployed in 54.6% of organizations. They help IT
“Our ‘security management and operations’
groups calculate and track cyber risks, so they can focus security
activities on the threats that can do the most damage. They also category covers a lot of ground... As it happens,
help IT groups communicate with top management and boards the four solutions most often in use this year
of directors about risks and justify security investments. If you
are exactly the same four, in the same order,
refer to Figure 40 on page 48, you will see that almost half of all
organizations (45.5%) provide board members with access to as last year.”
their cyber risk quantification or scorecard tool.
Security configuration management (SCM) and patch

management continue to be old reliables, installed in about half
of all organizations (52.6% and 50.5%, respectively). Maintaining In the planned for acquisition column, the leaders are full packet
the configurations of security tools and key software like capture and analysis (on the agenda for 43.5% of organizations)
database management systems is essential to maintain the and advanced security analytics (41.1%). They are followed
effectiveness of defenses. Keeping systems patched is a critical closely by vulnerability assessment/management (VA/VM) and
process that needs no explanation. Both of these solutions can threat intelligence platform (TIP) or service (40.3% and 40.0%,
be managed with spreadsheets (sort of), but tools designed for respectively).
these tasks save time and reduce errors.

Introduction

Technologies Playing a Role in Zero Trust Security

Which three of the following security technologies play the most significant roles in your organization’s
zero trust security framework? (Select up to three.)
Multi-factor authentication (MFA) 42.3%
Endpoint detection and response

41.8%
(EDR)
Email encryption 36.2%
Encryption of HTTP traffic 35.6%
Privileged access management 32.9%

(PAM)
Risk-based authentication 32.5%
Network segmentation / 28.7%

micro-segmentation
Figure 38: Technologies playing the most significant role in the organization's zero trust security framework.
Today, zero trust concepts are driving a lot of technological Applying micro-segmentation (to prevent threat actors
innovation and investment by IT organizations. But the “zero from moving laterally inside networks)
trust” label can be applied to many ideas. They include:
All sorts of other things, depending on the organization’s
Improving authentication (to make sure that every user, no vision of zero trust
matter where they attach to the network, is identified and So, we added a new question to this year’s survey to see what
validated as the person they claim to be) security technologies organizations are using to support their
Rigorously enforcing the principle of least privilege (to ensure zero trust security initiatives (see Figure 38).
that users only have access to the specific resources they
need to do their jobs)

Introduction

The two technologies playing the largest roles in zero trust Next on the list of technologies widely used to support zero trust
frameworks today are multi-factor authentication (MFA), cited initiatives are email encryption (36.2%) and encryption of HTTP
by 42.3% of respondents, and endpoint detection and response traffic (35.6%). They make it much harder for threat actors to
(EDR), selected by 41.8%. tamper with emails and network traffic, for example, by inserting
phishing links or capturing passwords, passcodes, and security
MFA certainly deserves a prominent place on this list. It gives
tokens as they traverse a network.
organizations confidence that users requesting access to
resources are not threat actors who have guessed, stolen, or Privileged access management (PAM) also received a lot of
bought passwords and other credentials. Most cybersecurity attention; it was cited by 32.9% of respondents. PAM enables
experts consider MFA a must-have for any secure environment. security and identity management teams to control the
For example, the U.S. Office of Management and Budget is permissions of IT and security administrators, top executives,
requiring all U.S. Federal agencies to adopt MFA for most and others who in the past were often granted almost
types of applications by the end of 2024 (you can read unlimited access to an organization’s information assets. It’s
the memo at: https://www.whitehouse.gov/wp-content/ not that IT security professionals don’t want to trust these users
uploads/2022/01/M-22-09.pdf). completely, it’s that they can’t trust them completely. Many
apparently trustworthy people turn out to be rogue insiders.
EDR solutions are also a key component of a zero trust architecture.
Also, organizations don’t want threat actors who have captured
They provide data to help security teams make sure endpoints
the credentials of privileged users to have free run of their entire
have not been compromised in ways that might allow threat actors
computing environment.
to capture passwords, or even defeat MFA. They also enforce security
policies on endpoints. One surprise is that network segmentation and micro-
segmentation came in last on this list, at 28.7%. In most
descriptions of zero trust models, segmentation is highlighted
as an absolutely critical element. We believe most organizations
“We added a new question to this year’s recognize its importance, but because of the difficulty and
survey to see what security technologies effort of implementing granular segmentation, they are holding
organizations are using to support their zero off until late in their zero trust roadmap. In other words, many
organizations are starting by implementing a version of zero
trust security initiatives.”
trust “lite” without making a big investment in segmentation,
but will address it in a later stage of their zero trust program.

Introduction

Increasing Security Awareness Among Employees

Which of the following does your organization offer to increase security awareness and train
employees on avoiding phishing and other cyberthreats?
Live training for all employees conducted

52.1%
at least annually
Live training for new hires during 47.3%

onboarding
Ongoing reinforcement using an

anti-phishing / threat simulation system 44.0%
Signs hanging on office walls reminding

employees how to avoid phishing and 41.9%
other cyberthreats
Pre-recorded training for new-hires

41.0%
during onboarding
Availability of on-demand videos or

40.4%
training modules
Figure 39: What organizations offer to increase security awareness and train employees on avoiding phishing and other cyberthreats.
Security awareness among employees has already come up So, what are organizations doing about it? What types of
several times in this report, most notably as an IT security function employee security education are they offering (or requiring)
that organizations are not confident about (page 13) and as one of to address this problem?
two powerful factors inhibiting them from adequately defending
The first notable finding is that an overwhelming 98.3% of
against cyberthreats (page 26).
organizations currently provide some form of security awareness
IT security groups know very well that the smartest threat actors training for their employees (although we might wonder what
target end users. As cryptographer Bruce Schneier once said: leaders in the remaining 1.7% are thinking).
“Amateurs hack systems, professionals hack people.”

Introduction

Simulations of phishing attacks and other threats are additional

tools for reinforcing the lessons employees learn during their
“IT security groups know very well that the
training sessions. Security simulations must be implemented
smartest threat actors target end users. very carefully. If mishandled, they can create anxiety or cause
As cryptographer Bruce Schneier once said: employees to feel that they are being spied on or tested with an
eye to punishment. Presented in the right context, however, they
‘Amateurs hack systems, professionals
can make security concepts memorable in a way that is hard to
hack people.’” duplicate in a classroom setting or with a video. Our data shows
that these simulations have really caught on and are being used
in 44.0% of organizations.
As shown in Figure 39, a large majority of organizations are Do you think wall signs and motivational posters are tacky?
providing security training for employees during onboarding. Have you seen the Demotivator® posters that poke fun at them?
For some (47.3%), this training is conducted by a live instructor, (Samples: “MEETINGS: None of us is as dumb as all of us,” and
and for others (41.0%), it’s provided through pre-recorded “YOU ARE SPECIAL: If you require additional affirmation, get a
videos or lessons. puppy. The rest of us are trying to work”)? Well, despite that,
wall signs can be effective when they convey accurate, usable
Organizations have also recognized the importance of reinforcing information. That’s why signs with reminders on how to avoid
security lessons. Slightly more than half (52.1%) conduct security phishing and other cyberthreats are pinned or taped to the walls
awareness training for all employees at least annually, and 40.4% at 41.9% of organizations.
make videos or training modules available on demand.

Introduction

Security Leaders Engaging with Boards of Directors

How do your IT security leaders engage with your organization’s board of directors?
Provide monthly, quarterly, or annual

50.7%
cyber risk assessment reports
Provide board access to our cyber risk 45.5%

quantification / scorecard system
Participate in a cyber risk assessment

committee chaired by a board member 43.1%
Present regularly at board meetings 41.0%
Measure the maturity of our security

37.8%
program / operations
Work with third parties to conduct

37.4%
independent cyber risk assessments
Figure 40: How IT security leaders engage with their organization’s board of directors.
You can find many articles in the press about how boards of those threats. It also gives the board members a basis to approve
directors are now taking a strong interest in IT security. But is that or modify IT security budgets. This kind of sharing is one reason
true? And if it is, how do they interact with the security experts in why IT security budgets are continuing to grow at the rates
their organization? To find out, we added a question to our survey. shown in Figure 34 on page 34.
The most common form of interaction is providing monthly, Almost half of all organizations (45.5%) give board members
quarterly, or annual cyber risk assessment reports to the board. access to a cyber risk quantification or scorecard system. This
Slightly more than half of the organizations (50.7%) mentioned implies a level of interaction beyond merely handing over printed
this best practice (see Figure 40). Reporting means board reports. Presumably, it allows board members who are interested
members get a picture of the organization’s business risks to dig deeper into the details of how security groups assess the
regularly. That information helps them understand the threats to strengths and weaknesses of their different IT security functions
the organization and the activities of the security team to meet and what IT leadership is doing to reduce business risks.

Introduction

The survey also confirms that today, IT leaders interact directly

with board members. A solid 41.0% of respondents report that
their IT security leaders present regularly at board meetings.
“The Syms clothing chain promoted itself
with the slogan: ‘An educated consumer
Another very striking result: IT security leaders in 43.1% of the
organizations participate in a cyber risk assessment committee
is our best customer.’ Perhaps we can
chaired by a board member. This suggests a very active role paraphrase that to: ‘An educated board
of at least some board members in deciding (and hopefully is IT security’s best supporter.’”
approving) security plans. It implies a huge increase in board
interaction from a few years ago.
Our IT security leaders Finally, a significant number of organizations track the maturity
don’t engage directly with of their IT security programs (37.8%) or work with third parties
our board of directors
Our IT security leaders to conduct independent cyber risk assessments (37.4%). These
2.9% engage directly practices help IT security teams focus energies and funds on
with our board the security functions that need the most improvement – and
of directors
show executives and board members where progress has been
achieved.
Another important finding from our data is that engagement

97.1% between IT security leaders and board members is almost
universal. Of organizations that have a board of directors, only
a small minority (2.9%) said their IT leaders didn’t have any
interaction with the board (see Figure 41).
Interaction with the board means that security leaders must

be able to talk the language of business as well as technology
Figure 41: IT security leaders who engage with the board of directors.
by measuring risk and explaining the business benefits of
investments in security. On balance, however, high levels of
engagement are very good news. For many years, the Syms
clothing chain promoted itself with the slogan: “An educated
consumer is our best customer.” Perhaps we can paraphrase that
to: “An educated board is IT security’s best supporter.”

Introduction

Technologies Playing the Biggest Roles Against Sophisticated Threats

Which of the following signature-less technologies play the biggest roles in your organization for
protecting against sophisticated threats, such as ransomware, phishing, and zero day attacks?
(Select up to three.)
Network behavior analysis / 47.7%

NetFlow analysis
Network / endpoint deception 45.4%
Machine learning / artificial intelligence

(ML/AI) 41.3%
IP / URL reputation engine 34.1%
Browser isolation 33.4%
Sandbox 25.2%
Figure 42: Signature-less technologies playing the biggest roles protecting against sophisticated threats such as ransomware, phishing,
and zero day attacks.
This is another new question in our survey. We asked about the use them to identify unusual behaviors in network flows that
adoption of some relatively new technologies that are getting a are associated with threat actors searching networks for targets,
lot of attention as innovative methods of preventing or detecting accessing databases and sensitive files, and exfiltrating stolen
threats, such as ransomware, phishing, and zero day attacks that data. The same analysis can also reveal suspicious activity by
don’t involve files with easily recognizable signatures. insiders and supply chain partners.
The most widely used of the technologies on this list are network Network and endpoint deception technologies are almost
behavior analysis and NetFlow analysis, which play a significant equally popular and are being used by 45.4% of organizations.
role in 47.7% of organizations (see Figure 42). Security groups

Introduction

They create decoy networks and systems that lure attackers IP and URL reputation engines allow enterprises to block
away from real assets. The goal is to detect malicious activity, network traffic from or to websites and systems known to host
confuse and slow attackers, and learn the tactics, techniques, malware or to be involved with ransomware, spam, phishing
and procedures (TTPs) of threat actors. Deception technologies attacks, and other dangerous activities. They have also achieved
have an unusual advantage: almost no false positives. Employees a significant level of adoption, at 34.1%.
and customers have no reason to access fake systems, so alerts
Another up-and-coming security technology is browser isolation,
generated by decoys are almost certainly the result of activity by
now used in exactly one-third of the organizations surveyed
threat actors.
(33.4%). Browser isolation allows employees to perform activities
Machine learning and AI are widely touted as powerful tools like accessing websites, opening emails, and downloading
to identify malicious behaviors. What should we make of our documents in an isolated environment in the cloud. They can
findings that they play a big role in the defenses of 41.3% of do their work just as they would from a regular browser, but any
organizations? We’d say that number indicates adoption is fairly malware, ransomware, and other bad things in the websites,
wide, but not universal. emails, and documents they access can’t reach their systems –
or anywhere else outside of the isolated browser session. Another
key aspect of browser isolation is that it improves security without
affecting the end user’s experience at all. We think you’ll be
“Deception technologies have an unusual hearing more about this type of technology in the future.
advantage: almost no false positives. Employees
What about sandbox technology? It’s been around a long time as
and customers have no reason to access fake a key defense against malware (it executes suspicious files in an
systems, so alerts generated by decoys are almost isolated environment to see if they perform malicious actions).
certainly the result of activity by threat actors.” Yet only a quarter of our respondents (25.2%) rated it as playing
a major role in their organization’s defenses.

Introduction

Use Cases for Extended Detection and Response (XDR)

Extended detection and response (XDR) unifies endpoint detection and response (EDR) with popular network
security tools, often sourced from the same vendor. Which of the following (XDR) use cases are most important
to your organization? (Select up to three.)
Identifying hidden cyberthreats 43.1%
Improving productivity of
security personnel 39.9%
Accelerating incident investigation

and response 39.6%
Improving customer support

experience 35.7%
Reducing false positives 32.5%
Reducing product purchase

and acquisition costs 28.0%
Mitigating alert fatigue 24.3%
Figure 43: Extended detection and response (XDR) use cases most important to the organization.
Extended detection and response (XDR) solutions collect and as quickly and completely as possible is obviously an extremely
correlate data from a wide range of sources, including networks, high priority for IT security groups and a major motivation to
endpoints, and cloud platforms, to help organizations detect invest in XDR solutions.
and understand attacks more completely and accurately and
The next three important use cases are improving the
respond to them faster. They represent a convergence of
productivity of security personnel (39.9%), accelerating incident
network monitoring, log management and analysis (SIEM), and
investigation and response (39.6%), and reducing false positives
endpoint detection and response (EDR) technologies. We found
(32.5%). These are priority goals in a world where IT security
that almost all organizations have embraced XDR (see Figure 44
personnel are a scarce resource (see page 15) and a fast response
in the next section). But why?
to threats can avoid massive damage to an organization’s
The number one use case, not surprisingly, is identifying hidden revenue and reputation.
cyberthreats, cited by 43.1% of the recipients (see Figure 43).
Our findings show that XDR is as widely deployed for reducing
Ransomware attacks, APTs, and most other major cyber menaces
product acquisition costs (28.0%) or mitigating alert fatigue (24.3%).
start with compromised endpoints. Detecting IoCs on endpoints

Introduction

Emerging IT Security Technologies and Architectures

Describe your organization’s deployment plans for each of the following emerging
IT security technologies/architectures.
Currently in production Implementation in progress Implementation to begin soon No plans
Zero trust network access (ZTNA) 45.3% 31.4% 15.7% 7.7%
Hardware-based/firmware security 43.5% 35.1% 14.3% 7.1%
Risk-based vulnerability
management (RBVM) 39.7% 36.2% 16.8% 7.4%
Passwordless authentication 39.3% 31.1% 17.8% 11.8%
Extended detection and

response (XDR) 39.1% 35.0% 18.6% 7.3%
Secure access service edge (SASE) 37.8% 40.3% 15.4% 6.6%
Figure 44: Plans for implementing emerging IT security technologies and architectures.
The final question in our survey examines where organizations The percentage of organizations committed to each of
stand on deploying six emerging IT security solutions. Some can be these solutions is roughly the same.
deployed as a single product, while others typically involve several
All of them are seen as worthwhile investments by almost
products that work toward the same goals (e.g., secure access
everyone; the percentage having “no plans” to implement
service edge, or SASE).
ranges from 11.8% to only 6.6%.
Figure 44 shows the six solutions ranked by the percentage of Of these six leading-edge solutions, the one in production most
organizations that have them in production. You may notice, often is zero trust network access (ZTNA) at 45.3% of organizations.
however, that the ranking would be different if we added together An additional 31.4% have begun to implement ZTNA, and 15.7%
“currently in production” and “implementation in progress.” Our more have plans. This reflects how pervasive zero trust security
takeaway is that: ideas have become.

Introduction

It is interesting to note that over two years the ratios of in production that give passwords either a minor role or none at all. Biometrics
and being implemented for ZTNA have basically reversed: from play an important part in this area. The FIDO Alliance (https://
30.2% and 44.3% two surveys back to 45.3% and 31.4% now. This fidoalliance.org/) champions standards that will eliminate sticky
suggests that over that period, somewhere between 13% and 15% notes. Well, not all of them. But authentication solutions using FIDO
of organizations moved from implementing to using successfully. standards will slash sticky note sales by getting rid of passwords.
Hardware- and firmware-based security, added to the survey last XDR solutions are in production in 39.1% of organizations and
year, showed the second highest level of deployment: 43.5% in are being implemented in an additional 35.0%. As we discussed
production. Implementation in progress is also high, at 35.1%. We regarding our previous question, organizations are employing XDR
believe this is an up-and-coming solution area. Security data and to identify hidden cyberthreats, improve the productivity of security
software embedded in hardware and firmware are far harder to personnel, and accelerate incident investigation and response,
compromise or disrupt than security data and software that can be among other use cases.
accessed in memory or on disk.
Secure access service edge (SASE) solutions are in production or
Risk-based vulnerability management (RBVM) is also popular. It is being implemented in almost four out of five organizations (78.1%).
in production in 39.7% of organizations, and is being implemented They are a key response to the challenges of remote work that
in another 36.2%. The idea behind RBVM is that organizations must peaked during the COVID pandemic.
not only identify as many vulnerabilities as possible across their
attack surface, but they should also prioritize remediation based on
factors such as the likelihood of the vulnerability being exploited
by threat actors and the impact on the business if the exploitation
is successful. There are far too many vulnerabilities to fix all at once, “The FIDO Alliance champions standards that
so it is essential to understand which are critical so they can be will eliminate sticky notes. Well, not all of them.
remediated first. But authentication solutions using FIDO
What about passwordless authentication, currently in production in standards will slash sticky note sales by getting
39.3% of organizations? Today it is widely agreed that passwords are rid of passwords.”
so easy to guess, phish, steal, or buy that they can’t be relied on for
authentication. Instead, security teams are deploying MFA solutions

Introduction

The Road Ahead
Zero Trust Expands Even as COVID Recedes Is All Cybercrime Becoming Ransomware?
In some ways, the rapid dissemination of zero trust principles In our Road Ahead section last year, we wondered if the
is a legacy of COVID-19. In 2023, zero trust models are having ransomware industry might have peaked. After all, organizations
an increasingly powerful impact on IT security, even as COVID of all kinds were becoming more vigilant; governments were
is receding. promoting measures to prevent attacks and imposing penalties
for paying ransoms; law enforcement agencies were having
Zero trust concepts were introduced in 2010 and slowly gained
occasional successes taking down ransomware gangs; and
traction during the next decade. However, it was COVID’s
security solution vendors were introducing new defenses. And
far-reaching impact on working conditions in 2020 and 2021
indeed, what we are calling “ransomware classic” has tapered off.
that caused zero trust ideas to take off. As the pandemic took
Ransomware attacks that involve only encrypting files are way
hold, IT security groups were challenged to support vast
down, as we discussed on pages 24 and 25.
numbers of employees working at home, using an array of
new communications and collaboration tools hosted on cloud One take on the current situation is that ransomware has
platforms, over more types of networks, often with personal, reinvented itself by morphing into double extortion or triple
unmanaged devices. Zero trust frameworks provided guidance extortion variants that combines multiple threats. Threats to
for dealing with the most pressing issues they faced, such release exfiltrated information, notify customers and the media
as requiring strong authentication for everyone, enforcing of breaches, and conduct DDoS attacks make ransom demands
consistent access control policies everywhere, and limiting even harder to resist. This Darwinian adaptation has enabled
access resources on a “need to use” basis. overall ransomware attacks to stay at high levels and average
ransom payments to rise (see Figures 18 and 19).
Now that COVID is gradually becoming a serious but manageable
health issue, and as workers return to their offices (at least part However, there is another way of looking at these developments.
time), is the zero trust wave going to subside? It doesn’t look Let’s say you are a cybercriminal who specializes in breaching
that way. Organizations still need to protect people, data, and employee databases and exfiltrating names and Social Security
applications that are widely distributed across locations and numbers. Once you succeed, it takes a lot of work to turn that
computing platforms. New threats make strong MFA a bigger information into cash by setting up credit card accounts, making
need than ever. More-granular access control and network purchases, reselling the goods to obtain currency, etc. Of course,
segmentation are needed to combat threat actors who continually you can just sell the data to someone else on the dark web, but
develop new ways to penetrate networks and move laterally. you might only get a few dollars per number. Then you realize
you can make the same money or better with a lot less work
Over the next couple of years, there will be plenty of debate
by demanding a ransom for not using the information. So, you
about what exactly is required for a real zero trust environment,
partner with a ransomware gang and launch a double extortion
and whether the term has been stretched to the point where it
ransomware attack.
doesn’t mean anything in particular. Nevertheless, we expect to
see a lot more organizations implementing zero trust principles In other words, we may be seeing cybercriminals of many types
so they can walk the walk as well as talk the talk. deciding to monetize their activities by demanding ransoms,
rather than using or selling the information they steal.
This would not necessarily be good news, but it might point to

new ways to protect against and respond to ransomware attacks.
The more complex the attack, the more chance of errors by
the attackers.

Introduction

The Road Ahead
The Menace of AI Chatbots and Deepfakes At this time, threats from AI-based tools and deepfakes are
mostly speculative. However, because it is the nature of AI
While this is being written in early 2023, security experts are
technologies to improve over time, we are very likely to see an
starting to assess the potential dangers of bad guys using the
ongoing arms race between threat actors, who are finding new
ChatGPT chatbot and other AI-based tools. They are concerned
uses for AI-based chatbots and deepfake tools, and IT security
that threat actors might use these tools to:
vendors, who are developing solutions to detect and block them.
Generate grammatically perfect, polished phishing messages
Create highly customized phishing emails that correctly use IT Security Leaders Talking Risks and Returns
terminology specific to industries or roles, perhaps even A new question in this year’s survey asked whether IT security
replicating the style of individuals such as a firm’s CEO leaders engage with their board of directors. In case anyone
Obfuscate existing malware variants had doubts, the responses showed that such interaction is
almost universal and takes many forms. They include providing
Write new malicious code risk reports, presenting at board meetings, and working together
Deepfakes are also a major threat. There have already been a few on cyber risk assessment committees. A significant number of
attempts to use simulated voices (typically of CEOs) to persuade IT security teams also share measurements of the maturity of
subordinates to transfer funds to the account of a fabricated their security programs or the results of cyber risk assessments
supplier, as well as primitive attempts to literally put words in the conducted by third parties (see pages 48 and 49).
mouths of political figures in phony videos.
We can describe the security team’s interaction with boards as an
As deepfake technology improves, we will undoubtedly see more evolution from zero engagement to multi-faceted involvement,
and better examples employed for both cybercrime and ideological as shown by this progression:
and political ends. It’s not hard to imagine the possibilities:
1. We never talk to them.
Launch phishing attacks by having fake celebrity endorsers
2. We talk to them only when we are forced to because
announce sales and send customers to fake websites to
of a data breach, disruption of business, or some other
capture credit card information
major crisis.
Sow confusion by having fake versions of corporate
3. We tell them how many vulnerabilities we’ve remediated
executives announce product recalls or accidents caused
and how many attacks we’ve stopped and ask for additional
by the company’s products
funding so we can do more of that kind of thing.
Manipulate stocks by releasing fake videos of CEOs
4. We discuss how our programs align with organizational
announcing strongly positive or negative news
goals and support priority initiatives.
Manipulate elections by releasing fake videos of political
candidates making controversial statements, exhibiting 5. We describe current risks to the business, explain what we
physical or mental infirmities, or issuing phony endorsements are doing to mitigate them, and discuss the financial return
on investments in security based on losses prevented and
Demand ransoms for not doing any of the above revenues increased.
(see “Is All Cybercrime Becoming Ransomware?” above)

Introduction

The Road Ahead
We’d say that some organizations are stuck at the third level, As we pointed out on pages 15 and 16, job seekers from the
and most have established themselves on the fourth. Only a current wave of layoffs in high tech won’t come near to filling this
handful have advanced to the fifth level. But now that IT security gap. However, this may be a good time for organizations to make
leaders are getting face time and sharing metrics with board an extra effort to find and recruit some of the refugees from
members, they are going to have to do a lot more talking about respected technology companies that are cutting back. Perhaps
risks and returns. consider offering cybersecurity training and certification as a
recruitment tool. After all, training and certification are not just
An Opportunity to Hire IT Security Talent? about the Benjamins (page 32).
Year after year, our survey has found that a shortage of skilled IT It may also be a good time to think creatively about finding
security personnel is the biggest factor inhibiting organizations smart people with certain backgrounds and training them
from adequately defending themselves against cyberthreats. to fill IT security roles. For example, good coders can become
That didn’t change this year (see Figure 27). application security professionals, and financial analysts with
the right mindset might make good risk and fraud analysts.

Introduction

Appendix 1: Survey Demographics
This year’s report is based on survey results obtained from 1,200 America, the Middle East, and Africa). Each participant has an IT
qualified participants hailing from 17 countries (see Figure 45) security job role (see Figure 46). This year, 47.5% of our respondents
across six major regions (North America, Europe, Asia Pacific, Latin held CIO, CISO, or other IT security executive positions.
United States 29.2%

United Kingdom
8.3%
Colombia Germany
2.8% 6.3%
Mexico 2.8%
Brazil 2.8% 6.3% France
South Africa 4.2%

4.2% Canada
4.2%
Saudi Arabia
4.2%
4.2% Italy
Turkey 4.2%
4.2% 4.2% Spain
Singapore 4.2% 4.2% China
Australia Japan
Figure 45: Survey participation by country.
47.5% CIO, CISO, or IT security

executive
IT security / compliance auditor

2.8%
Other IT security position 5.4%
5.8% 21.9%
IT security architect / engineer IT security administrator
7.8%
Data protection / privacy officer 9.3%
IT security analyst / operator /
incident responder
Figure 46: Survey participation by IT security role.

Introduction

Appendix 1: Survey Demographics
This study addresses perceptions and insights from research 25,000 or more
participants employed with commercial and government 500 – 999
9.3%
organizations with 500 to 25,000+ employees (see Figure 47). 10,000 – 24,999 19.2%
A total of 19 industries (plus “Other”) are represented in this 10.5%
year’s study (see Figure 48). Seven industries – education,
finance, government, healthcare, manufacturing, retail, and
telecom & technology – accounted for 62% of all respondents.
No single industry accounted for more than 15.5% of participants. 22.6%
5,000 – 9,999 38.5%
1,000 – 4,999
Figure 47: Survey participation by organization employee count.
15.5%
Telecom & Technology
15.0%
Manufacturing
10.3%
Construction and Machinery
10.0%
Retail & Consumer Durables
6.2%
Healthcare
6.0%
Finance & Financial Services
5.5%
Other
4.8%
Education
4.7%
Utilities, Energy, and Extraction
4.5%
Business Support & Logistics
4.3%
Government
2.4%
Advertising & Marketing
2.3%
Airlines & Aerospace
2.1%
Automotive
1.9%
Insurance
1.4%
Real Estate
1.2%
Food & Beverages
0.9%
Agriculture
0.6%
Entertainment & Leisure
0.5%
Nonprofit
Figure 48: Survey participation by industry.

Introduction

Appendix 2: Research Methodology
CyberEdge developed a 27-question, web-based, vendor-agnostic Constructing survey questions in a way that eliminates
survey instrument in partnership with our research sponsors. The survey bias and minimizes the potential for survey fatigue
survey was completed by 1,200 IT security professionals in 17
Only accepting completed surveys after the respondent has
countries and 19 industries in November 2022. The global margin
provided answers to all of the questions
of error for this research study (at a standard 95% confidence level)
is 3%. All results pertaining to individual countries and industries Ensuring that respondents view the survey in their native
should be viewed as anecdotal, as their sample sizes are much language (e.g., English, German, French, Spanish, Japanese,
smaller. CyberEdge recommends making actionable decisions Chinese)
based on global data only. Randomizing survey responses, when possible, to prevent
All respondents had to meet two filter criteria: (1) they had to order bias
have an IT security role; and (2) they had to be employed by a Adding “Don’t know” (or comparable) responses, when
commercial or government organization with a minimum of possible, so respondents aren’t forced to guess at questions
500 global employees. they don’t know the answer to
At CyberEdge, survey data quality is paramount. CyberEdge Eliminating responses from “speeders” who complete the
goes to extraordinary lengths to ensure our survey data is of survey in a fraction of the median completion time
the highest caliber by following these industry best practices:
Eliminating responses from “cheaters” who apply consistent
Ensuring that the right people are being surveyed by patterns to their responses (e.g., A,A,A,A and A,B,C,D,A,B,C,D)
(politely) exiting respondents from the survey who don’t Ensuring the online survey is fully tested and easy to use on
meet the respondent filter criteria of the survey (e.g., job computers, tablets, and smartphones
role, job seniority, company size, industry)
CyberEdge would like to thank our research sponsors for
Ensuring that disqualified respondents (who do not meet making this annual research study possible and for sharing
respondent filter criteria) cannot restart the survey (from the their IT security knowledge and perspectives with us.
same IP address) in an attempt to obtain the survey incentive

Introduction

Appendix 3: Research Sponsors
CyberEdge is grateful for its Platinum, Gold, and Silver sponsors, for without them this report would not be possible.
Platinum Sponsors
ISC2 | www.isc2.org HUMAN Security | www.humansecurity.com
ISC2 is an international nonprofit membership association HUMAN is a cybersecurity company that protects organizations
focused on inspiring a safe and secure cyber world. Best known by disrupting digital fraud and abuse. We leverage modern
for the acclaimed Certified Information Systems Security defense to disrupt the economics of cybercrime by increasing
Professional (CISSP®) certification, ISC2 offers a portfolio of the cost to cybercriminals while simultaneously reducing the
credentials that are part of a holistic, pragmatic approach to cost of collective defense. Today we verify the humanity of more
security. Our association of candidates, associates and members, than 20 trillion digital interactions per week across advertising,
nearly 330,000 strong, is made up of certified cyber, information marketing, e-commerce, government, education and enterprise
software and infrastructure security professionals who are security, putting us in a position to win against cybercriminals.
making a difference and helping to advance the industry. Protect your digital business with HUMAN.
Our vision is supported by our commitment to educate and
reach the general public through our charitable foundation – Imperva | www.imperva.com
The Center for Cyber Safety and EducationTM. Imperva is a cybersecurity leader whose mission is to protect data
and all paths to it. We protect customers from cyber attacks through
Arkose Labs | www.arkoselabs.com all stages of their digital transformation. Imperva Research Labs
Arkose Labs is the global leader in bot management and account and our global intelligence community enable Imperva to stay
security, and its mission is to create an online environment ahead of the threat landscape and seamlessly integrate the latest
where all consumers are protected from malicious activity. Its security, privacy and compliance expertise into our solutions.
AI-based platform combines powerful risk assessments with
dynamic attack response that undermines the ROI behind Menlo Security | www.menlosecurity.com
attacks while improving good user throughput. The company Menlo Security protects organizations from cyberattacks by
offers the world’s first and only $1 Million Credential Stuffing eliminating the threat of malware and evasive web threats from
Warranty™. Headquartered in San Mateo, CA with offices in documents, email, and the single biggest productivity tool – the
Brisbane and Sydney, Australia, San Jose, Costa Rica, and London, web browser. Menlo’s patented isolation-powered Cloud Security
UK, the company ranked as the 106th fastest-growing company Platform scales to provide comprehensive protection across
in North America on the 2022 Deloitte Fast500 list. enterprises of any size, without requiring endpoint software or
impacting the end user-experience. Menlo Security is trusted by
Fortra | www.fortra.com major global businesses, including Fortune 500 companies, eight
Fortra’s Digital Risk and Email Protection provide comprehensive of the ten largest global financial services institutions, and large
solutions for your toughest email security and brand integrity governmental institutions. Menlo Security is headquartered in
challenges. Through our digital risk protection solutions, we Mountain View, California.
provide curated threat intelligence and complete mitigation of
external threats across web, social, and mobile channels. While
our email security and anti-phishing solutions protect emails,
brands, and data from sophisticated phishing attacks, insider
threats, and data loss.

Introduction

Gold Sponsors
Delinea | www.delinea.com Netsurion | www.netsurion.com
Delinea is a leading provider of Privileged Access Management Netsurion® delivers complete cybersecurity confidence through
(PAM) solutions for the modern, hybrid enterprise. The Delinea wider attack surface coverage, deeper threat detection, and faster
Platform seamlessly extends PAM by providing authorization incident response. Netsurion’s Managed XDR solution combines
for all identities, granting access to an organization’s most our 24x7 SOC and our Open XDR platform in a co-managed
critical hybrid cloud infrastructure and sensitive data to help service that gives you the ultimate flexibility to adapt and grow
reduce risk, ensure compliance, and simplify security. Delinea while maintaining a secure environment. Headquartered in
removes complexity and defines the boundaries of access for Ft. Lauderdale, FL with a global team of security analysts and
thousands of customers worldwide. Our customers range from engineers, Netsurion is a leader in Managed Extended Detection
small businesses to the world’s largest financial institutions, & Response (MXDR).
intelligence agencies, and critical infrastructure companies.
SailPoint Technologies | www.sailpoint.com
LookingGlass | www.lookingglasscyber.com SailPoint is a leading provider of identity security for the
The LookingGlass Platform is purpose-built to see the entire modern enterprise. Using a foundation of artificial intelligence
internet, enabling national, industrial, and enterprise-scale and machine learning, the SailPoint Identity Security Platform
decisions with unparalleled curated threat intelligence on delivers the right level of access to the right identities and
critical assets, risks, and sectors. LookingGlass delivers actionable resources at the right time—matching the scale, velocity, and
insights and advanced analytics to support attack surface environmental needs of today’s cloud-oriented enterprise. Our
intelligence, third party risk management, and national-scale intelligent, autonomous, and integrated solutions put identity
cyber missions. security at the core of digital business operations, enabling even
the most complex organizations across the globe to build a
Netskope | www.netskope.com security foundation capable of defending against today’s most
Netskope, a global SASE leader, is redefining cloud, data, and pressing threats.
network security to help organizations apply zero trust principles
to protect data. Fast and easy to use, the Netskope platform ZeroFox | www.zerofox.com
provides optimized access and real-time security for people, ZeroFox (Nasdaq: ZFOX) is an enterprise software-as-a-service
devices, and data anywhere they go. Netskope helps customers leader in external cybersecurity. The ZeroFox platform combines
reduce risk, accelerate performance, and get unrivaled visibility advanced AI analytics, digital risk and privacy protection,
into any cloud, web, and private application activity. Thousands full-spectrum threat intelligence, and a robust portfolio of
of customers, including more than 25 of the Fortune 100, breach, incident and takedown response capabilities to expose
trust Netskope and its powerful NewEdge network to address and disrupt phishing and fraud campaigns, botnet exposures,
evolving threats, new risks, technology shifts, organizational and credential theft, impersonations, data breaches, and physical
network changes, and new regulatory requirements. threats that target your brands, domains, people, and assets.
Join thousands of customers, including some of the largest
organizations in the public sector, finance, media, technology,
retail and manufacturing, to address the entire lifecycle of
external cyber risks.

Introduction

Silver Sponsors
HackerOne | www.hackerone.com Phosphorus Cybersecurity | www.phosphorus.io
HackerOne closes the security gap between what organizations Phosphorus Cybersecurity is the leading xIoT Breach Prevention
own and what they can protect. HackerOne’s Attack Resistance platform for the xTended Internet of Things. Designed to secure
Management blends the security expertise of ethical hackers with the growing and unmonitored Things across the enterprise xIoT
asset discovery, continuous assessment, and process enhancement landscape, our Enterprise xIoT Security Platform delivers Attack
to find and close gaps in the ever-evolving digital attack surface. This Surface Management across every vertical, providing Active
approach enables organizations to transform their business while Discovery & Assessment, Hardening & Remediation, and Detection
staying ahead of threats. Customers include Citrix, Coinbase, Costa & Response to bring xIoT security to every cyber-physical Thing in
Coffee, General Motors, GitHub, Goldman Sachs, Google, Hyatt, your environment. With xIoT intelligent active discovery and posture
Microsoft, PayPal, Singapore’s Ministry of Defense, Slack, the U.S. assessment, Phosphorus automates the remediation of the most
Department of Defense, and Yahoo. In 2021, HackerOne was named significant IoT, OT, and Network device vulnerabilities—including
as a ‘brand that matters’ by Fast Company. unknown and inaccurate asset inventory, out-of-date firmware,
default credentials, risky configurations, and out-of-date certificates.
Netwrix | www.netwrix.com
Netwrix makes data security easy. Since 2006, Netwrix solutions Picus Security | www.picussecurity.com
have been simplifying the lives of security professionals by Picus Security helps security teams of all sizes to continuously
enabling them to identify and protect sensitive data to reduce validate and enhance organizations’ cyber resilience. Our
the risk of a breach, and to detect, respond to and recover from Complete Security Validation Platform simulates real-world
attacks, limiting their impact. More than 13,000 organizations threats to automatically evaluate the effectiveness of security
worldwide rely on Netwrix solutions to strengthen their security controls, identify high-risk attack paths to critical assets, and
and compliance posture across all three primary attack vectors: optimize threat prevention and detection capabilities. As the
data, identity and infrastructure. pioneer of Breach and Attack Simulation, we specialize in
supplying the actionable insights our customers need to be
OffSec | www.offsec.com threat-centric and proactive. Via our online Purple Academy,
OffSec is the leading provider of continuous professional and we give back to the community by providing free training about
workforce development, training, and education for cybersecurity the latest offensive and defensive security approaches.
practitioners. OffSec’s distinct pedagogy and practical, hands-on
learning help organizations fill the infosec talent gap by training Valence Security | www.valencesecurity.com
their teams on today’s most critical skills. With the OffSec Valence Security offers collaborative remediation workflows
Learning Library featuring 6,000 hours of content, 1,500 videos, that engage with business users to contextualize and reduce
2,500 exercises, and 900 hands-on labs, OffSec demonstrates its SaaS data sharing, supply chain, identity, and misconfiguration
commitment to empowering individuals and organizations to risks. With Valence, security teams can secure their critical SaaS
fight cyber threats with indispensable cybersecurity skills and applications like Microsoft 365, Google Workspace, Salesforce,
resources. OffSec also funds and maintains Kali Linux, the leading and Slack and ensure continuous compliance with internal
operating system for penetration testing, ethical hacking, and policies, industry standards and regulations, while accelerating
network security assessments. business productivity and the speed of SaaS adoption. Valence
is backed by leading cybersecurity investors like Microsoft’s M12
and YL Ventures, and is trusted by leading organizations.

Introduction

Appendix 4: About CyberEdge Group
Founded in 2012, CyberEdge Group is the largest research, marketing, and publishing firm to serve the IT security vendor
community. Today, approximately one in six IT security vendors (with $10 million or more in annual revenue) is a CyberEdge client.
CyberEdge’s highly acclaimed Cyberthreat Defense Report (CDR) and other single- and multi-sponsor survey reports have
garnered numerous awards and have been featured by both business and technology publications alike, including The Wall
Street Journal, Forbes, Fortune, USA Today, NBC News, ABC News, SC Magazine, DarkReading, and CISO Magazine.
CyberEdge has cultivated its reputation for delivering the highest-quality survey reports, analyst reports, white papers, and
custom books and eBooks in the IT security industry. Our highly experienced, award-winning consultants have in-depth subject
matter expertise in dozens of IT security technologies, including:
Advanced Threat Protection (ATP) Privileged Account Management (PAM)

Application Security Risk Management/Quantification
Cloud Security Secure Access Service Edge (SASE)
Data Security Secure Email Gateway (SEG)
Deception Technology Secure Web Gateway (SWG)
DevSecOps Security Analytics
DoS/DDoS Protection Security Configuration Management (SCM)
Endpoint Security (EDR & EPP) Security Information & Event Management (SIEM)
ICS/OT Security Security Orchestration, Automation, and Response (SOAR)
Identity and Access Management (IAM) Software-defined Wide Area Network (SD-WAN)
Intrusion Prevention System (IPS) SSL/TLS Inspection
Managed Security Services Providers (MSSPs) Supply Chain Risk Management
Mobile Application Management (MAM) Third-party Risk Management (TPRM)
Mobile Device Management (MDM) Threat Intelligence Platforms (TIPs) & Services
Network Behavior Analysis (NBA) User and Entity Behavior Analytics (UEBA)
Network Detection & Response (NDR) Unified Threat Management (UTM)
Network Forensics Virtualization Security
Next-generation Firewall (NGFW) Vulnerability Management (VM)
Patch Management Web Application Firewall (WAF)
Penetration Testing Zero Trust Network Access (ZTNA)
For more information about CyberEdge and our services,

call us at 800-327-8711, email us at [email protected],
or connect to our website at www.cyber-edge.com.

Introduction

CyberEdge Acceptable Use Policy

CyberEdge Group, LLC (“CyberEdge”) encourages third-party organizations to incorporate textual and graphical elements of this report
into presentations, reports, website content, product collateral, and other marketing communications without seeking explicit written
permission from CyberEdge, provided such organizations adhere to this acceptable use policy.
The following rules apply to referencing textual and/or graphical elements of this report:
1. R
eport distribution. Only CyberEdge and its authorized 4. Figures and tables. Figures and tables extracted from this
research sponsors are permitted to distribute this report for report must not be modified in any way. Artwork for figures
commercial purposes. However, organizations are permitted and tables for the most recent Cyberthreat Defense Report are
to leverage the report for internal uses, including training. available for download at no charge on the CyberEdge website
at https://www.cyber-edge.com/cdr.
2. S
ource citations. When citing a textual and/or graphical
element from this report, you must incorporate the following 5. No implied endorsements. CyberEdge does not endorse
statement into a corresponding footnote or citation: “Source: technology vendors. Cited CyberEdge content should never
2023 Cyberthreat Defense Report, CyberEdge Group, LLC.” be used to imply favor from CyberEdge.
3. Q
uotes and excerpts. Quotes and excerpts extracted from If you have questions about this policy or would like to incorporate
this report must not be modified in any way. Rephrasing content from this report in a manner not addressed by this policy,
is not permitted. submit an email to [email protected].
Copyright © 2023, CyberEdge Group, LLC. All rights reserved. The CyberEdge Group name and logo are the property of CyberEdge Group, LLC.
2023 CyberthreatAllDefense Report
other company names, trademarks, and service marks are the property of their respective owners. Version 1.0 65
Your Path to
Purpose + Impact
Become a leader in
cybersecurity
Cybersecurity leaders champion a safe and
secure cyber world. They expertly embed
security across operations, rapidly respond to
threats and advise senior leaders. With the
challenges of the role come substantial rewards —
personally, professionally and financially.
CISSP certification, the global gold standard

in cybersecurity, puts you on solid footing to
succeed in a cybersecurity leadership role.
Take the first step to CISSP certification

Join ISC2 as a Candidate. Sign up now and gain
access to exclusive benefits, including 20% off
Official ISC2 Training so you can start preparing
for the CISSP exam. More benefits include:
• Free training for ISC2 Certified in
CISSP is the #1
Cybersecurity certification
• Discounted learning resources
• ISC2 Security Congress annual conference security credential
• And more required by employers
on LinkedIn
Your first year is free — no cost to you.*
Get Started
*If you choose to renew after the first year, U.S. $50 due annually.

2023 CDR Report Final2 Isc2

Uploaded by

Copyright:

Available Formats

2023 CDR Report Final2 Isc2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2023 CDR Report Final2 Isc2

Uploaded by

Copyright:

Available Formats

2023 Cyberthreat Defense Report

North America | Europe | Asia Pacific | Latin America

<< Research Sponsors >>

Practices and The Survey Research Research About

2023 Cyberthreat Defense Report 2

Practices and The Survey Research Research About

CyberEdge’s annual Cyberthreat Defense Report (CDR) plays a

4. IT security leaders do have a seat at the table – with the

2023 Cyberthreat Defense Report 3

Practices and The Survey Research Research About

2023 Cyberthreat Defense Report 4

Practices and The Survey Research Research About

2023 Cyberthreat Defense Report 5

Practices and The Survey Research Research About

2023 Cyberthreat Defense Report 6

Practices and The Survey Research Research About

Section 1: Current Security Posture

Past Frequency of Successful Cyberattacks

What do we think has led to this more positive attitude? One

2023 Cyberthreat Defense Report 7

Practices and The Survey Research Research About

Section 1: Current Security Posture

But of even more importance for the long term, we think

improve cybersecurity awareness among users...” South Africa 40.8%

2023 Cyberthreat Defense Report 8

Practices and The Survey Research Research About

Section 1: Current Security Posture

Future Likelihood of Successful Cyberattacks

As we mentioned in the previous section, we think the

35.1% An interesting dynamic we have noticed every year is the

Figure 5: Percentage indicating compromise is “more likely to occur

2023 Cyberthreat Defense Report 9

Practices and The Survey Research Research About

Section 1: Current Security Posture

China 86.0% Finance 84.5%

Saudi Arabia 80.0% Retail 75.6%

Italy 72.4% Healthcare 65.7%

Singapore 71.4% Government 64.6%

Figure 6: Percentage indicating compromise is “more likely to occur

2023 Cyberthreat Defense Report 10

Practices and The Survey Research Research About

Section 1: Current Security Posture

Security Posture by IT Domain

Servers (physical and virtual) 4.15

Cloud infrastructure (IaaS, PaaS) 4.15

Cloud applications (SaaS) 4.14

Websites and web applications 4.08

Application Containers 4.06

Datastores (file servers, databases, SANs) 4.04

Desktops (PCs) 4.02

Application program interfaces (APIs) 4.00

Mobile devices (smartphones, tablets) 3.99

Internet of Things (IoT) 3.95

Industrial control systems (ICS) / SCADA devices 3.94

Figure 8: Perceived security posture by IT domain.

2023 Cyberthreat Defense Report 11

Practices and The Survey Research Research About

Section 1: Current Security Posture

Examples of the less secure becoming even more worrying? The

2023 Cyberthreat Defense Report 2

4. IT security leaders do have a seat at the table – with the

2023 Cyberthreat Defense Report 3

2023 Cyberthreat Defense Report 4

2023 Cyberthreat Defense Report 5

2023 Cyberthreat Defense Report 6

2023 Cyberthreat Defense Report 7

2023 Cyberthreat Defense Report 8

2023 Cyberthreat Defense Report 9

2023 Cyberthreat Defense Report 10

2023 Cyberthreat Defense Report 11

2023 Cyberthreat Defense Report 12

2023 Cyberthreat Defense Report 13

2023 Cyberthreat Defense Report 14

2023 Cyberthreat Defense Report 15

2023 Cyberthreat Defense Report 16

2023 Cyberthreat Defense Report 17

2023 Cyberthreat Defense Report 18

2023 Cyberthreat Defense Report 19

2023 Cyberthreat Defense Report 20