In 2023, security departments must work more purposefully in vulnerability management and supply chain security. This is a central result of the "State of Security Preparedness 2023" study published by the security provider Ivanti.
In contrast to their international colleagues, the degree of maturity of German security departments is only mediocre. This is particularly evident in business-critical issues such as dealing with weak points and in security training for business partners in the company's own distribution chain.
German security teams have some catching up to do
According to the Ivanti study, the degree of maturity of German IT security departments is significantly lower than in neighboring European countries and worldwide. Just 19% of respondents rate their team as advanced and proven when it comes to complying with national and global security regulations, policies and procedures. In England, France and the international average, around 30% of companies are at this highest level of defence. According to their own assessment, the majority of the German security teams (36%) are just at an “intermediate level” on this question.
Weak self-assessment confirmed
This self-assessment is supported by the methods IT teams use to evaluate their cyber programs. The quality of these methods can serve as an indicator of how well-founded the programs are set up and implemented. Cybersecurity maturity models only play a minor role in Germany compared to the international average. Just 1/3 of the companies in this country work with these models - worldwide it is 2/3. The situation is similar when it comes to assessing the risk to which relevant financial data is exposed. 1/3 of the security specialists from Germany surveyed determine their security position based on a Finance Data Risk Assessment (FinDRA). However, almost twice as many of their peers work on this metric in the UK and US (61%, 62%).
The ability of an organization to accurately determine its own security level depends not least on insight into the systems and solutions used in the company. From this perspective, too, the self-assessment of German security managers falls moderately. The majority of them (54%) have only a moderate overview of their assets and just 15% continuously track the users, devices, applications and services logged into the corporate network.
Vulnerability Management: Would you like to patch everything?
“The results of our study show that German security professionals want to close almost every vulnerability with priority or high priority. Such an attitude corresponds to the understandable desire to close as many potential gateways as possible. However, this can hardly be realized in the regular operation of an IT department with the available resources of the teams," says Johannes Carl, Expert Manager PreSales - UEM & Security. “The sheer number of open vulnerabilities makes it almost impossible to put a complete protective wall around a company. It is much more effective to prioritize closing those vulnerabilities that pose an actual risk for the individual company.”
The Ivanti study shows that this knowledge has not yet spread sufficiently among security teams in Germany. Half of the security experts (48%) prioritize strategic vulnerabilities that are directly relevant to their company - a good value in an international comparison. However, it is noticeable that a disproportionately large number of weak points are included.
Regardless of whether it is a question of vulnerabilities that are listed in the NVD (National Vulnerability Database), that are currently being exploited or are being identified by the team themselves - the majority of German security professionals assign them the highest urgency. Internationally, there is much more differentiation on this question. One reason for this rating may lie in the fact that 40% of the respondents either do not use a specific method for prioritizing vulnerabilities or, if available, it is not separately documented. This makes it difficult for the teams to apply consistent rules for risk-based vulnerability management.
Supply chain attacks at a glance - but under control?
The evaluation of potential attack vectors also allows for an interesting analysis. 40% of German security professionals see only a moderate level of threat in attacks on and via the distribution chain. Given the increase in this type of attack over the past year, such an assessment is quite astonishing. What is also interesting, however, is the statement by almost every second respondent (48%) that they are very well prepared for a supply chain attack.
This coincides with the high ability of German IT departments in a country comparison to be able to withdraw access for third-party companies at short notice. 51% are able to do this within a day. Another statement is much more critical: Only a little more than every second security specialist in Germany (57%) also obliges supply chain partners to undergo mandatory cybersecurity training. The average value for all countries is 67%.
Background of the study
For the "State of Security Preparedness 2023" study, more than 2022 executives, cybersecurity experts and office workers worldwide were surveyed in October 6.500. The goal of the survey, conducted by Ravn Research, is to understand how enterprise IT professionals perceive today's security threats and how organizations are preparing for yet unknown threats in the future.
More at Ivanti.com
About Ivanti The strength of unified IT. Ivanti connects IT with security operations in the company in order to better control and secure the digital workplace. We identify IT assets on PCs, mobile devices, virtualized infrastructures or in the data center - regardless of whether they are hidden on-premise or in the cloud. Ivanti improves the provision of IT services and reduces risks in the company on the basis of specialist knowledge and automated processes. By using modern technologies in the warehouse and across the entire supply chain, Ivanti helps companies improve their ability to deliver - without changing the backend systems.