New cyber security research focused on large European enterprises suggest an expanding attack surface due to cloud transformation, staff shortages and poor visibility are leading to systemic weaknesses – prompting leaders to focus on threat intelligence, automation and integrating disparate tools in the upcoming year.  About a quarter of respondents plan to invest in managed services to boost their security operations capabilities by extending them with outside expertise.

The ISMG Cybersecurity Complexity Study sponsored by ReliaQuest looked at enterprises within the UK, Benelux, France and Germany to explore the causes and impact of complexity on cyber security alongside challenges, priorities, and planned investment decision for 2022.

Challenges

In terms of challenges, the study found that the sophistication of adversaries and attacks that ‘evolve faster than enterprises can adapt’ was the single biggest issue for 60% of respondents. This was followed closely by lack of skilled staff (40%) and lack of visibility across disparate tools that are hard to integrate (33%). This lack of visibility theme was persistent throughout the research with 67% stating that ‘improved visibility would do the most to improve efficiency of detection, investigation and response. 

As the report editor, Tom Field, SVP of Editorial at ISMG says, “These are actually encouraging statistics because they show respondents not only understand they have a problem, but they know the problem is a lack of visibility created by complexity.”

The report identifies the main cause of complexity for 47% of enterprises is due to “too many tools that don’t integrate easily.” The second biggest source of complexity was identified by 43% of enterprises as ‘too many devices – managed and unmanaged – connected to the network’ This is further compounded by ‘cloud migration and digital transformation’ that is sighted by 33% of respondents as a significant cause of complexity.  Thus a combination of factors are creating blind spots driving inefficiencies across the threat detection and response process and the inability to combat emerging threats and protect the enterprise.  

Priorities 

“The survey also highlights the reality of ongoing staff shortages but there seems to be a realisation that fresh recruitment alone is not going to solve the problem,” says John Fedoronko, Vice President of Sales, EMEA for ReliaQuest, “The data suggests that many see a combination of automation and more use of managed services as the best path to strengthen security over the next few years – with the survey finding that just 1 in 3 enterprises (34%) is prioritising in-house cyber security investment compared to over half (51%) that are looking for external assistance.”

Investment

The current situation of cyber security tool sprawl and staff shortage leading to complexity has also prompted a shift in 2022 investment plans.  Although 87% said they expect increased or level funding for cybersecurity, when asked about strategy – only 11% stated that new tools were their number one priority. In fact, a higher number (12%) stated that a reduction in cyber security tools and/or vendors was a primary aim. 

By far the largest investment signals for just over one-quarter of respondents (28%) was a goal to “improve visibility,” while 24% are gearing investments towards automation. The report also found that to improve security operation, more enterprises are looking to external managed security services (37%) which surprisingly overtook In-house management of products (33%).

“It is clear, especially when you talk to larger enterprises that they are not prepared to just throw more  resources at the problem through additional point tools that don’t solve the underlying complexity issue, “ says Fedoronko, “It’s evident that enterprises see automation as a way of overcoming many of the challenges they face, but all the data suggest that unless they can achieve better integration between tools and raise visibility – the underlying complexity will remain and they will continue to be challenged with managing and reporting risks and keeping up with the pace of change of the business.”

Unification before automation

This sentiment is echoed by ISMG’s Tom Field, “One’s instinct might be to run toward automation as the next big solution. But what do you get if you automate complexity? More efficient complexity. The key is to fix the foundation – unify the disparate tools that are inhibiting visibility and creating complexity. Then you can add a layer of automation to give your human defenders a better fighting chance,” he says, “When you’ve accomplished unity and introduced automation, then you want to operationalize this new power, and it becomes about talent. You may not have the sheer numbers of people necessary; if you do, then perhaps not the right skill sets. More tools will not solve this problem. More talent will. If you lack the skills in-house, then look to a third party or managed service.”

The full 2021 European Cybersecurity Complexity Study provides insights from 18 data points across priorities, tooling, operational strategy and spending and is available for free download at: https://reliaquest.com/resource/research-report/2021-europe-cybersecurity-complexity-study

Methodology

This survey was conducted in the summer of 2021 and focused on Western European enterprises within the UK, Netherlands, Belgium, France and Germany. The survey received more than 200 responses from organisations primarily in professional services (37%) and financial services (32%), but also in retail, utilities and manufacturing, mainly with enterprises employing 1,000-5,000 employees (67%).