Attack surface visibility a top CISO priority amid growing attacks: Report

Ninety-three percent of organizations suffered a cyberattack last year, making attack surface visibility a top priority for CISOs, according to a study by threat intelligence company Censys.

The study was designed to explore the state of security leadership in a shifting digital terrain and interviewed a total of 208 CISOs or CISO equivalents from US-based companies with more than 5,000 employees.

In the report, Censys explored the cybersecurity events and experiences that influence senior leadership decisions, said Dayna Rothman, chief marketing officer at Censys. "By doing this study, it is our hope that organizations can better facilitate conversations about the importance of digital asset management and maintain good security practices that provide continued visibility," Rothman said.

Incidents fuel the push for attack surface visibility

All participants in the study agreed that their view of the current risk environment is more negative than it was a year ago. This was mainly because a significant number (93%) of them experienced at least one cyberattack in the past year, according to the study.

"Nearly three-fourths of those surveyed in recent EMA research had experienced a cybersecurity incident in the past 12-18 months," said Chris Steffen, an analyst at Enterprise Management Associates. "That number will always vary depending on what they consider an incident, but no matter how you look at it, the enterprise is forced to address these kinds of issues, either from a proactive prevention perspective or a remediation -- 'dealing with the consequences' perspective."

While the latest tools and technologies help CISOs cope with daily cybersecurity vulnerabilities, these advances in technology are also benefiting cybercriminals, Steffen added.

More than half (53%) of the respondents identified the "need to secure their organization's entire attack surface" as their top priority, emphasizing external attack surface management solutions as critical elements to securing organizations and preventing attacks.

"A significant part of the lack of visibility is the capabilities of the tools that the organization is using, but another significant portion is either a lack of understanding or a misconfiguration of the organization's attack surface," Steffen added. "Constantly changing enterprise environments -- from new technologies to updates, new vendors, and third-party connections -- also sometimes contribute to the attack surface."

Additionally, the report found 65% of security teams lacked qualified resources, leading to significant burnout among senior leaders and their team members.

Preferred measures include zero trust, cyberinsurance

Fifty-eight percent of respondents took defensive actions in the form of shifting to (or increasing) zero trust in the last year. According to the report, this was caused by a mix of factors, including increased global tensions and leading nation-state actors, globally distributed devices, and the White House's new cybersecurity strategy.

A significant number (91%) of the respondents said their organization has cyberinsurance in place, however, over a quarter (27%) do not understand the total obligations of their insurance policy.

This is because the insurance market itself is in flux, with changing standards, claim processes, and policy assessment types, according to Steffen. "According to a recent EMA survey, 75% of ransomware payees reported that paying the ransom resolved all the expected problems, while another 22% and 53% considered paying the ransom as cost and downtime saving respectively."

The study recommended that CISOs and cybersecurity professionals have clearer conversations with security teams about business operations to identify key threats and protect assets effectively.