Top 5 Security Hygiene and Posture Management Trends for 2023

ESG Security Hygiene and Posture Management report cover on podium

Although virtually every organization has revisited its cyber asset management, vulnerability management and security testing capabilities over the past few years, new research into the state of security hygiene and posture management from the Enterprise Strategy Group (ESG) suggests these initiatives are still not where they need to be. According to Jon Oltsik, distinguished fellow and analyst at ESG, “organizations continue to struggle with security hygiene and posture management due to disjointed cyber risk processes, decentral organizations, and attack surface growth.”

The Current State of Security Hygiene and Posture Management

To provide further insight into the current state of security hygiene and posture management, we’ve summarized a few of the biggest takeaways from the new ESG survey of 383 IT and cybersecurity professionals representing enterprises within North America.

  • Over half (58%) of organizations lack a centralized approach to security hygiene and posture management.

Regardless of the level of investment and number of resources organizations have dedicated to cybersecurity asset management, today’s security hygiene programs remain disorganized. Initiatives that lack centralization inevitably struggle due to the inability to align on project ownership, objectives, and priorities.

  • Security and IT tool integration is the top priority for improving security asset management programs.

IT and security professionals recognize that data siloes make it difficult to keep up with and respond to changes across their environment. A key challenge for security leaders is how they unlock the data they have and make it usable to drive security improvement programs. Therefore, it makes sense that automating security asset management is next on the list. Automation will drive the scale and consistency they need to drive value from the data they have.

  • Nearly half (42% percent) of teams take more than 80 hours to complete a comprehensive asset inventory.

Conducting a manual asset inventory has always been time consuming and resource intensive. Too many security teams still rely on spreadsheets and simple analysis tools that mean their data is out-of-date almost as soon as they’ve created it. Unfortunately, the problem is getting worse, as more organizations now take at least 80 hours to generate an asset inventory today than they did in 2021.

This increase is likely due to the combination of the evolution and growth of dynamic asset environments and technology stacks, as well as the inability to centralize teams, processes and data. As new regulations are starting to require a comprehensive asset inventory, such as CISA’s recent Binding Operational Directive (BOD) 23-01, security teams will have to become more effective at building and continuously maintaining their visibility into their estate, partnering with their IT operations teams

  • Fewer than 15% of organizations continuously scan their attack surface.

Most organizations (86%) have yet to achieve continuous visibility of the attack surface. With the adversary’s goal of finding the path to least resistance, the agility of modern threat actors leaves enterprises in a vulnerable position. While managing a modern attack surface is undoubtedly complex, maintaining comprehensive visibility is essential. As the saying goes, you can’t protect what you can’t see.

  • More than three-quarters (76%) of organizations have experienced an attack due to an unknown, unmanaged, or poorly managed internet-facing asset within the past two years.

Today, more enterprises have experienced a cyber attack caused by an exposed asset—as the total number has grown 7% since 2021. This should raise a red flag for any cybersecurity professional involved in the SHPM process and call for stricter requirements around the frequency of attack surface scans.

None of the figures above present a new concept, which should urge security and risk leaders to take a step back and consider whether they’re spending their time and money wisely.  Perhaps the most important takeaway from the report then is that by neglecting the fundamentals of security hygiene and posture management, organizations inadvertently limit the effectiveness of their programs.

As a sponsor of the 2023 ESG Security Hygiene and Posture Management research, Noetic is proud to offer complimentary access to the full report. Download using the form below.