Contents

The State of Security Remediation 2024

Key Findings

In the dynamic and ever-evolving landscape of cybersecurity, security remediation remains a critical aspect of organizational defense strategies. It involves identifying, evaluating, and addressing security vulnerabilities to mitigate potential risks. However, the effectiveness of these remediation efforts is contingent upon several factors, ranging from team collaboration to the efficiency of tools and processes in place. Those key issues should be addressed when the average cost of a data breach is, on average, $7.29 million.

1. Challenges in Achieving Visibility in Code-to-CloudEnvironments

Many organizations arestruggling to achievevisibility in their cloudenvironments. With only 23%of organizations reportingfull visibility and a combined77% experiencing less-thanoptimal transparency, it’sclear that the complexityof these environments,particularly with theintegration of containersand serverless architectures,poses significant challenges.This lack of visibility canlead to security gaps andcomplicates the managementand monitoring of theseenvironments, underscoringthe need for solutions thatcan unify data and providecomprehensive observability.

2. False Positives and Duplicate Alerts: The Strain ofSecurity Alerts

A notable 63% oforganizations considerduplicate alerts a moderateto significant challenge, and60% view false positivessimilarly, highlighting theinefficiencies and drawbacksof too much data coming atsecurity teams. The high rateof organizations strugglingwith this could be attributedto overlapping functionalitiesamong tools, or a lack ofrefined integration and finetuning. The repercussionsof this alert overload includealert fatigue, prioritizationchallenges, and, ultimately,slower incident responsetimes, which could leave an organization vulnerable. Merely increasing the quantity of securitytools is not a cure-all; a more nuanced approach, focusing on these tools’ integration and intelligentorchestration, is imperative. The inclusion of automation or AI to reduce alert overload is of utmostimportance to reduce strain on security teams. These technologies, with their ability to intelligentlyfilter and prioritize alerts, can significantly reduce the volume of false positives and duplicate alerts,thereby enabling security teams to focus their efforts on genuine threats, enhancing both efficiencyand effectiveness.

3. Proliferation of Security Tooling Creating Complexities

The escalating trend of alertoverload in cybersecurityis a significant challengefacing organizations today.With 61% of organizationsusing between 3-6 differentdetection tools and nearlyhalf considering increasingtheir security budgetsindicating that more arelikely to be introduced,the landscape is becomingincreasingly complex. Thisproliferation of tools, whileenhancing security coverage, also leads to a surge in alerts, including a high volume of falsepositives (see Key Finding 2).Despite the continued proliferation of security tools, only 24% feel very prepared for cybersecuritythreats, meaning 77% in some way feel underprepared or unprepared. The introduction ofadditional tools without a unified process can lead to siloed remediation efforts, overlappingvulnerabilities, and a disjointed approach to threat prioritization. A unified approach is crucial toensure seamless integration of diverse systems, providing a comprehensive and contextual viewof the security landscape to understand if there are gaps in coverage. This integration is vital toavoid redundancies in the security process and to ensure that threat prioritization is informedby a complete understanding of the organization’s security posture. To effectively manage thiscomplexity, organizations must focus on strategic alignment and integration of their security tools.

4. Manual Overhead When Tackling Daily SecurityVulnerabilities

The survey’s findings regarding the manual overhead involved in managing security vulnerabilitiesshed light on a critical aspect of cybersecurity operations. About 75% of organizations havesecurity teams spending over 20% of their time performing manual tasks when addressingsecurity alerts. All this, despite 83% reporting they use at least some automation in theirremediation process. On average, organizations are dealing with a daily queue of 55 securityvulnerabilities per day, of which 1-3 are typically critical. On average, teams can address only 270vulnerabilities within a month, meaning many of these vulnerabilities are rolling over day after day.In particular, alerts are bottlenecked in the early phases: in the queue waiting to be addressed andidentifying the issue owner. These phases take on average 1-3 hours each, which means most of aworkday could be taken up just by getting the vulnerability to the correct person for remediation.This scenario raises several points of consideration.

Inefficiencies in the Remediation Process: The initial phases of the vulnerability managementprocess appear to consume a disproportionate amount of time. These inefficiencies could be rootedin the time consuming manual process of investigating issues and figuring out who is responsiblefor fixing them. When roles are not clearly defined, valuable time that could be spent on addressingthe vulnerabilities is instead used to determine who should take action.

Potential for OverlookedVulnerabilities: When teamsare overwhelmed withmanual tasks, there’s a riskthat some vulnerabilities,especially less critical ones,might be overlooked ordeprioritized. This oversightcan have serious long-termconsequences, as even noncritical vulnerabilities can beexploited as part of a largerattack strategy.

Impact on EmployeeEfficiency and Morale: Themanual overhead involvedin vulnerability management can lead to employee fatigue (similar to alert fatigue in Key Finding2), especially when dealing with a high volume of alerts and vulnerabilities. This fatigue can reducethe effectiveness of security personnel, as constant engagement with routine, manual tasks maydiminish focus and responsiveness to more critical security issues.

Underutilized Automation: The data suggests that although organizations currently useautomation in their remediation process, it’s being underutilized. Modern security operations canbenefit significantly from more automated systems that quickly identify, categorize and assignvulnerabilities based on predefined risk criteria. The lack of such automation can lead to manual,time-consuming processes that slow down the overall response time.

It’s clear that there is significant room for improvement in the remediation process. Addressingthese inefficiencies requires a multifaceted approach involving clearer role definitions, enhancedautomation, and workflow optimization. By tackling these issues, organizations can improve thespeed and effectiveness of their response to security threats and enhance the overall health of theircybersecurity operations.

5. Slow Response Times to Vulnerabilities

The survey findings on response times reveal a concerning trend: 18% of organizations takemore than four days to address critical vulnerabilities, with 3% exceeding two weeks, indicatingpotential gaps in prioritization and response strategies. This slow response to critical vulnerabilitiesmay result in prolonged risk periods, increasing the likelihood that they will become the victim ofa breach. The recent Xfinity breach is an example of how delays in the vulnerability remediationtimeline can have catastrophic consequences. In this instance, a 6- to 9-day period lapsed betweenidentification of the vulnerability and a breach. The result was unauthorized access to customerPersonally Identifiable Information (PII), including names, passwords, last 4 digits of SSN, and soon. These extended timelines for remediating vulnerabilities can also lead to a compounding effectby increasing the backlog of vulnerabilities to be addressed, increasing the likelihood that othervulnerabilities will be exploited. These findings highlight the need for more efficient vulnerabilitymanagement processes, the incorporation of automation, and the prioritization of critical threats tominimize risk exposure.

6. Short-Term Fixes and Recurring Risks

There is a significant concernregarding the prevalenceof vulnerabilities in codeand their tendency to recur,highlighting a pattern ofquick-fix approaches ratherthan sustainable, long-termsolutions in cybersecuritypractices. A substantial 38%of respondents estimatethat 21-40% of their codecontains vulnerabilities, andthis figure escalates with 19%of respondents noting 41-60%of their code contains vulnerabilities, and 13% identifying vulnerabilities in 61-80% of their code.This data underscores the pervasive challenge of maintaining code integrity and security during thedevelopment process.

Compounding this issue is the finding that over half of the vulnerabilities addressed byorganizations tend to recur within a month of remediation. This trend suggests that the underlyingroot causes of these vulnerabilities are often not fully resolved, leading to repeated cycles ofremediation. Such recurring vulnerabilities could stem from a range of factors, including limitedresources, insufficient expertise, or the inherent complexity of the vulnerabilities. This situation notonly heightens security risks and potential compliance issues but also places a significant drain onresources. The heavy reliance on manual processes (see Key Finding 4) further exacerbates the issueand signals a need for more robust automation strategies and the adoption of more sophisticated,AI-driven security solutions to enhance the quality and durability of remediation efforts.

7. Collaborative Challenges: The Security-Dev TeamDivide

One of the most significantfindings from the survey isthe evident collaborationgap between security anddevelopment teams. Astartling 18% of organizationsreport no collaborationor counterproductiverelationships. That’s nearly1 in 5 organizations. Onceestablished, this culture canbe challenging to overcomewithout a significant overhaul.Over half of the respondentsonly experience limited to moderate collaboration. Another 30% report good cooperation,likely due to adopting a shift- left approach or DevSecOps strategy. This general lack of synergy,often based on competing priorities, could be a critical factor in ineffective security practices,as robust cybersecurity increasingly requires a harmonious blend of development agility andsecurity vigilance. This is reflected in the organization’s perceived preparedness for dealing withcybersecurity threats: only24% feel very prepared,meaning 77% in some wayfeel underprepared. Thisstatistic underscores areadiness gap and hints atpotential vulnerabilities incloud-based operations,necessitating a moreintegrated approach. Theseless-than-ideal levels ofcollaboration and sense ofunpreparedness are alsolikely manifesting in theslow response times whenaddressing critical vulnerabilities (see Key Finding 5) - 18% of organizations take more than fourdays to address critical vulnerabilities, with 3% exceeding two weeks.

Furthermore, this divide might be more pronounced than the data suggests, considering thesurvey’s focus on security professionals. More inclusive research encompassing more DevOpsteams might reveal deeper rifts, potentially impacting cloud security readiness.

Conclusion

The survey results emphasize several important areas of improvement in cybersecurity remediationpractices. The efficiency of security tools and the ability to reduce vulnerabilities must be evaluatedbeyond the number of tools an organization has purchased, focusing instead on unified visibility andremediation across all of their code, applications, clouds, and infrastructure. Addressing the manualoverhead in the vulnerability management process with automation and data correlation couldsignificantly speed up response times, reduce the recurrence of issues, and improve productivity.The data also underscores the need for prioritizing critical vulnerabilities and addressing the rootcauses of recurring issues to ensure long-term security stability. Lastly, the collaboration andworkflow between security and development teams needs to be strengthened for more effectivesecurity management, especially in the context of cloud security. As cybersecurity threats evolve,organizations must adapt by seeking better visibility into their code-to-cloud environment,identifying ways to accelerate remediation, strengthening organizational collaboration, andstreamlining processes to counter risks effectively.

Full Survey Results

Cloud Environment and Security Tooling

Organizations’ preparedness for addressing cybersecurity threats

The majority (77%) oforganizations feel unpreparedor underprepared forcybersecurity threats.Only a small fraction (24%)of respondents feel veryprepared. This indicates aprevailing sense of inadequacyin cybersecurity readiness,with 7% of organizations evenacknowledging that they arevery unprepared. The resultsunderscore a critical needacross various organizationsto reassess and strengthentheir cybersecurity measures. This could include investing in advanced security technologies thatunify visibility and remediation, enhancing staff training, and developing comprehensive, proactivestrategies to better equip themselves against increasingly sophisticated and evolving cyber threats.

Visibility in the code-to-cloud environment

The majority of organizationsare struggling with visibilityin their environment.A mere 23% report fullvisibility, while a combined77% experience less thanoptimal transparency, with6% having no visibility, 36%limited visibility, and 35%only moderate visibility.These figures highlight anongoing struggle in securingcode-to-cloud environments,where the complexity ofenvironments, especially with the integration of containers and serverless architectures, makesachieving thorough observability more challenging without a way to unify data.

Staff knowledge of evolving threats in cloud attack surface

Different staff level membershave slightly different levelsof awareness of threats tothe cloud attack surface.For Board members, only24% are fully aware and30% are moderately aware.CISOs show a slightly betterawareness level, with 27%being fully aware and 31%moderately aware. Theawareness levels among DevTeams are comparable, with28% being fully aware and33% having considerable awareness. Indicates that there is some variation based on their role andjob level, which is to be expected, but at all levels there is a keen interest in maintaining awarenessof current threats.

The department responsible for cybersecurity gap analysis fororganizations

The primary department responsibility for cybersecurity gap analysis in organizations reveals adiverse distribution across various departments. The IT security team leads, with 31% bearing theprimary responsibility, indicating their central role in managing cybersecurity risks. InformationSecurity departments follow at 20%, reflecting their specialized focus on safeguarding informationassets. Compliance and audit departments, often involved in ensuring regulatory adherence andinternal controls, account for 17%. Risk Management teams, which typically oversee broaderorganizational risks, contribute 15%, highlighting the increasing recognition of cybersecurity as a keyrisk factor. Incident response teams, who are on the front lines of addressing security breaches, areprimarily responsible in 10% of the cases. Lastly, SOC (Security Operations Center) teams, despite their critical role in continuous monitoring and analysis, are the primary responsible partyin only 7% of organizations. This distribution indicates the variety of approaches to cybersecurityin organizations, with various departments playing significant roles in identifying and addressingsecurity gaps.

Number of scanning tools used in cloud environments

Organizations typically employ a variety of scanning and detection tools to safeguard their cloudenvironments. The distribution of tool usage varies widely: 32% of organizations use 5-6 tools,while 29% use 3-4, and a similar proportion (16%) use either 1-2 or 7-8 tools. A smaller segment,about 7%, deploys more than nine tools. This variety is partly due to the complex nature of cloudenvironments, which often consist of multiple layers and components, each can require specializedmonitoring. For instance, code-level security might necessitate 5-6 tools on its own. However,this multiplicity of tools can lead to challenges, such as the issue of duplicate alerts, potentiallyleading to alert fatigue among security teams and complicating the process of threat identification,prioritization, and response. When selecting scanning and detection tools, it’s important to considerstrategic integration and management of security tools to optimize efficiency and effectiveness incloud environment protection.

Use of automation in the remediation process

A significant majority of organizations, about 83%, currentlyincorporate automation in their remediation processes,indicating a trend towards leveraging technology for enhancingcybersecurity efficiency. However, this statistic only confirmsthe presence of automation, not the extent of its utilization. Theremaining 17% do not use automation, which might suggesteither a preference for manual processes or potential areas fortechnological advancement. The degree of automation usage willhave an impact on organizations’ overall effectiveness and speedof their cybersecurity responses.

Security Tools Budget

Annual spend on cybersecurity solutions and tools

The annual expenditure on cybersecurity solutions and tools among organizations displays a broadspectrum. While 10% of organizations allocate less than $100,000, a significant portion, 27%, spendbetween $100,000 and $500,000. The largest group, at 29%, invests between $500,000 and $1million, followed by 22% who allocate $1 million to $5 million. A smaller fraction, 8%, dedicatesover $5 million, and 3% are unsure of their spending. This data was collected when organizationswould have been budgeting for 2024. It is, therefore likely to be particularly accurate and relevant,especially from leadership and upper management, who are more attuned to budgetary allocations.Interestingly, there’s a noticeable difference in the estimation of budgets between staff and C-levelexecutives, with the latter more likely to report higher budgets. For instance, only 7% of staff reportbudgets under $5 million, compared to 14% of C-level executives; similarly, 15% of staff reportspending between $1 million to $5 million, against 20% of C-level executives. This disparity mightreflect a difference in awareness or involvement in budget decisions, with C-levels likely a morereliable source given the context.

Changes to budget for cybersecurity solutions and tools in 2024

Regarding future budget allocations for cybersecurity solutions and tools, the outlook amongorganizations points to significant developments. Approximately 45% of organizations plan toincrease their cybersecurity budget next year, while half expect their budget to remain the same,and a small fraction, 5%, anticipate a decrease. This trend towards increased investment indicatesboth the maturing of existing tooling and the potential acquisition of new tools and technologies.However, given the already high number of security tools in use, highlighted previously, this influxof additional tools could further complicate the issue of security alerts. With more tools in the mix,there’s a heightened risk of increasing alert fatigue and the occurrence of duplicate alerts, which canoverwhelm security teams and obscure genuine threats. Organizations should seek out tools that may help consolidate thesealerts and develop a strategicplan for tool integration andmanagement to ensure thatthe additional investmenttranslates into enhancedsecurity efficacy rather thancontributing to an alreadycomplex alert landscape.Additionally, it would benefitorganizations to seek out toolsthat provide a more unifiedapproach.

Portion of cybersecurity budget dedicated explicitly to cloud security

The allocation of annual cybersecurity budgets towards cloud security reveals a diverse range ofcommitments among organizations. A notable 22% dedicate less than 20% of their budget to cloudsecurity, indicating a relatively lower prioritization or possibly limited cloud utilization. However, amore substantial segment of 31% allocates 21-40%, and 27% invests 41-60%, reflecting a moderateto high emphasis on securing cloud environments. Interestingly, only a smaller fraction, 16% and4%, respectively, dedicate a larger portion (61-80% and over 81%) of their budgets to cloud security.This suggests that while cloud security is a significant concern for most, the degree of financialcommitment varies, potentially influenced by the scale of cloud usage, the nature of the business,and the perceived risks associated with cloud environments.

Staff Addressing Vulnerabilities

Team size

The team size dedicatedto responding to securityalerts in organizationsvaries, influenced by factorssuch as organizational sizeand industry. A significantproportion (49%) have teamscomprising 4-6 members,indicating a moderate-sizedresponse team commonlyfound in a range oforganizations. Smaller teamsof 1-3 members are present in22% of organizations, possiblyreflecting smaller businesses or those with fewer resources dedicated to cybersecurity. Meanwhile,21% have slightly larger teams of 7-10 members, and a smaller segment of 8% operate with teamsof 11 or more, likely indicative of larger enterprises or organizations in highly regulated industrieswhere cybersecurity is a critical concern. These variations highlight how the composition of securityresponse teams is tailored to the organization’s specific needs, scale, and nature, balancing resourceallocation with the demands of maintaining robust security measures.

Relationships between security and developer teams

The working relationshipbetween security anddeveloper teams inorganizations shows aspectrum of collaborationlevels. Notably, a majorityof 52% report limitedcollaboration, indicating apotential gap in integratedefforts between theseteams. This could suggestchallenges in communicationor differing priorities thathinder more effectivecollaboration. On a positivenote, 30% of organizations experience good collaboration, reflecting a healthy level of interactionand mutual support. However, on the less favorable end, 10% report no collaboration, and 8%describe their interactions as counterproductive. These lower percentages are concerning, as they point to significant barriers to effective teamwork, which can impact both security and developmentprocesses. This distribution underscores the importance of fostering better alignment andcommunication between security and developer teams to enhance overall organizational efficiencyand cybersecurity posture. It’s also worth noting that the audience for this survey is primarilysecurity and the results may be markedly more negative with a larger portion of developersresponding to the same questions.

Security Vulnerabilities

Look at Daily Security Vulnerabilities and Monthly Response Rates

The data presents a compelling picture of the challenges in cybersecurity management withinorganizations. On average, each day sees 55.5 security vulnerabilities in the queue, with typicallyat least one being deemed critical. This scenario paints a vivid picture of the ongoing and dynamicnature of cybersecurity threats that organizations face regularly. The presence of at least onecritical vulnerability on a daily basis highlights the critical need for effective and responsivecybersecurity processes.

However, when looking at the broader monthly perspective, the average number of vulnerabilitiesaddressed is 1025 per month. This disparity between the daily influx of vulnerabilities and themonthly resolution rate points to the substantial efforts undertaken by security teams to manageand mitigate these risks. Such a high volume of vulnerabilities each month calls for well-structuredprioritization and triage processes, ensuring that critical issues receive immediate attention. This isindicative of the ever-evolving complexity of the threat landscape and the necessity for continuousmonitoring and swift response capabilities. Organizations must be constantly vigilant and userobust security strategies to keep pace with the rapidly changing cybersecurity challenges.

Rate of false positives

The majority of organizations (76%), experience a significant challenge with false positive alerts,with more than 1 in 10 of their alerts falling into this category. Specifically, 34% of organizationsreport that 11-30% of their alerts are false positives, followed by 20% experiencing 31-50%, and14% encountering 51-70%. Additionally, 7% face an even higher rate of 71-90% false positives, and1% deal with more than 90% false positives. This prevalence of false positives poses a burdensometask for security teams, who must expend considerable time and resources discerning false alarmsfrom genuine threats. Such a high rate of false alerts lead to inefficiencies, with teams spendingsignificant time sorting through irrelevant alerts rather than focusing on actual vulnerabilities andpressing security issues.

Difficulty posed by false positives and duplicate alerts

The challenge of dealing withfalse positives and duplicatealerts in organizations isprevalent, as reflectedin the survey results. Forfalse positives, only 9% oforganizations find them to beno challenge, but a significantmajority face varying degreesof difficulty: 31% considerthem a minor challenge, 39% amoderate challenge, and 21%a major challenge. Similarly,in the case of duplicate alerts,only 11% report no challenge,whereas 26% find them tobe a minor challenge, 43% amoderate challenge, and 20%a significant challenge. Thismeans a substantial number of organizations grapple with the efficiency of their alert systems, asboth false positives and duplicate alerts require additional resources and time for verification andlead to potential delays in responding to genuine threats.

Average timeline for addressing non-critical security vulnerabilities

The data on the average timeline for addressing non-critical security vulnerabilities in organizationsreveals a varied range of response times. A significant portion (24%) manages to address thesevulnerabilities within 6 to 24 hours, while 23% take 1 to 3 days, and 20% handle them within 1to 5 hours. A smaller, yet notable, proportion of organizations take longer, with 9% addressingvulnerabilities within 4 to 7 days, 7% within 8 to 14 days, and 3% taking more than 14 days. Thefastest response, within less than an hour, is reported by 14% of organizations.

The varied response times may reflect the diverse nature of non-critical vulnerabilities, thediffering capacities and resources of security teams, and the specific contexts within which theseorganizations operate. This understanding underscores the need for a balanced approach incybersecurity management, ensuring timely responses while effectively allocating resources basedon the severity and impact of each vulnerability

SLAs for critical security vulnerabilities

The data on Service Level Agreements (SLAs) for addressing critical security vulnerabilities presentsa revealing contrast to the handling of non-critical vulnerabilities. While 15% of organizations reportaddressing critical vulnerabilities within less than an hour, likely indicating the use of automation,25% take between 1 to 5 hours, and another 25% take 6 to 24 hours. These response times arerelatively faster compared to those for non-critical vulnerabilities. However, a significant 35% oforganizations report taking over one day to address these critical vulnerabilities, with 17% taking 1to 3 days, 11% taking 4 to 7 days, and a combined 7% taking more than a week.

This slower response in a considerable number of cases is a matter of concern, as it suggests thata significant portion of organizations are potentially leaving themselves vulnerable for extendedperiods, thereby increasing their risk and likelihood of a breach. The fact that a sizable fraction canaddress these issues within a few hours demonstrates the capability for rapid response is possible,likely facilitated by efficient processes and possibly automation. However, the slower responsesamong many organizations may indicate resource limitations, process inefficiencies, or a lack ofsufficient urgency in addressing critical vulnerabilities.

Percentage of code with vulnerabilities that impact security orfunctionality

A significant 38% of respondents estimate that 21-40% of their code has vulnerabilities, while 27%believe less than 20% of their code is problematic. Additionally, 19% of participants indicate that 41-60% of their code could be vulnerable, followed by 13% who estimate between 61-80%, and 4% whoface vulnerabilities in over 81% of their code. These figures underscore the pervasive challenge ofmaintaining code integrity and security in the development process.

Difficulty finding the code owner responsible for addressingapplication vulnerabilities

The challenge of identifyingthe code owner in the contextof addressing applicationvulnerabilities is notable inmany organizations. Mostrespondents (60%) find itsomewhat difficult, withan additional 24% facingmoderate difficulty, and 5%finding it highly challenging.Only 11% consider locatingthe code owner an easytask. The prevalence of thischallenge points to potentialgaps in documentation,unclear ownership policies, and complexities in development processes. Improving documentationpractices and clarifying code ownership responsibilities could be key to expediting vulnerabilityresolution and enhancing application security.

Remediation Process

Average length of each remediation phase

Each phase of the remediationphase, on average, requiresbetween 3 to 6 hours, with agradual increase in duration asthe process progresses withowner remediation takingcloser to 6-12 hours. Thesefindings indicate a sequentialescalation in the time requiredfor each subsequent phase,reflecting the growingcomplexity and depth ofwork involved as one movesfrom initial alert handling toin-depth research and finalremediation of security issues.This pattern underscoresthe need for efficient management and prioritization at each step to ensure timely and effectiveresolution of security vulnerabilities. The use of automation can also help expedite earlier phases,thus helping to shorten remediation timelines.

Time spent on manual tasks

Security teams in organizations spend a notable portion of their time on manual tasks whenaddressing security alerts. Notably, a substantial 74% of teams spend more than 20% of their timeon manual tasks related to security alerts. Specifically, 38% of teams dedicate between 21-40% oftheir time to these tasks, followed by 17% who spend 41-60% of their time, 14% who allocate 61-80%, and 5% who spend more than 81% of their time on manual activities.

This significant investment of time in manual tasks suggests a pressing need for enhancedautomation in the cybersecurity domain. Relying heavily on manual processes can lead toinefficiencies, increased response times, and a higher likelihood of human error. Effectiveautomation could streamline the process of addressing security alerts and free up valuableteam resources to focus on more strategic, complex aspects of cybersecurity. This shift towardsautomation could result in more efficient operations, quicker responses to security incidents, and astronger overall security posture for organizations.

Average rate of vulnerabilities recurring within a month of remediation

On average, 50% ofvulnerabilities reoccur withina month of remediation,indicating a tendency towardsa quick-fix approach in manyorganizations. This approachfocuses on providing atemporary resolution forimmediate issues ratherthan addressing underlyingroot causes. Ultimately,this leads to repeated workfor security teams, largersecurity alert queues,and extended timelinesfor proper remediation. This cycle strains resources and exposes the organization to prolongedrisks. It highlights the need for a more strategic approach to vulnerability management, includingcomprehensive analysis and perhaps adopting more sophisticated security tools or methodologies.This shift from a reactive to a proactive stance in addressing vulnerabilities could significantly reducerecurrence, enhance overall security posture, and optimize the allocation of security resources.

Cybersecurity Incidents

Security incidents that must be disclosed

The most common frequency of cloud security incidents requiring disclosure in organizations wasaround four incidents annually, equating to approximately one incident per quarter. The need fordisclosure, whether to regulators, the board, or the public, varies considerably based on the industryand the specific regulatory requirements it faces. This variability underscores the diverse nature ofcloud security challenges across different sectors.

Duration from detection to commencement of remediation for cloudbreaches

The data in this section was derived exclusively from organizations that reported experiencing asecurity breach within the past year. The duration of time from detection to the commencementof remediation actions varies considerably. A small fraction (7%) manages to start remediationwithin an hour of detection, indicating a highly responsive approach likely involving automation.The most common response times fall within the range of 1-6 hours, with 27% taking 1-3 hours and28% taking 3-6 hours. This suggests a moderately prompt response in most cases. Another 24%of organizations take 6-12 hours to commence remediation, followed by 8% taking 12-24 hours. Asmaller percentage (3% and 2%, respectively), report starting remediation actions within 1-3 daysand over 3 days after detection.

This distribution underscores the challenges and complexities involved in responding to cloudbreaches. The varied response times reflect different levels of preparedness and capabilities amongorganizations. The fact that a significant number of organizations take more than a few hours evento begin remediation suggests potential areas for improvement in detection and initial responsemechanisms. It’s important to note that these figures represent only the commencement ofremediation, not its completion, highlighting the initial phase of the response process. This phase iscritical as quicker commencement of remediation can significantly reduce the impact of a breach.

Average time to fully remediate cloud breach

Of the organizations that had experienced a data breach within the past year, only a small portion(6%) were able to resolve a breach in less than a day fully, indicating exceptional efficiency orless complex breach scenarios. A significant number (24%) achieve full remediation within 1-3days, showing a relatively rapid response. However, the timelines extend considerably for manyorganizations: 23% take 4-7 days, another 23% require 8-14 days, and 16% need 15-30 days forcomplete resolution. Longer durations are less common but still notable, with 5% taking 31-45 days,2% needing 46-90 days, and 1% extending beyond 90 days.

Each additional hour and day that it takes to remediate leaves an organization vulnerable toadditional damages. This variation in remediation times stresses the importance of robust cloudsecurity measures, effective incident response planning, and the need for continuous monitoringand improvement of cybersecurity practices to effectively manage and mitigate the impacts ofcloud breaches.

Difficulty of remediation code, apps, and cloud compared tonetworked devices and hosts

Responses are almost evenly split between finding these efforts more difficult (41%) and lessdifficult (39%), with 19% considering them about the same. This split suggests that the perceiveddifficulty of remediation is highly dependent on the organization’s environment, the team’sexpertise, and the nature of the systems involved. While 15% of respondents find remediation incloud environments much less difficult and 24% find it less difficult, a nearly equal proportion, 23%and 18%, respectively, perceive it as more or much more difficult.

This distribution challenges the expectation that remediation in cloud environments would beinherently harder due to issues like reduced visibility and the complexity of managing multiplelayers. The fact that many respondents find it less difficult might reflect the evolving capabilities andtools available for managing cloud environments. Alternatively, it could indicate varying levels ofmaturity and skill in handling cloud-based systems across different organizations.

Difficulty of reporting progress on remediation SLAs

An overwhelming 90% ofrespondents experiencesome level of difficulty inreporting on SLAs with 58%finding it somewhat difficult,25% moderately difficult,and 7% highly difficult. Onlya small fraction, 10%, reportno difficulty. This widespreadstruggle can be attributedto issues with establishingclear, measurable metricsfor tracking and reportingprogress. Providing accurateand timely updates on remediation efforts becomes complex without quantifiable metrics oreffective ways to measure progress. This difficulty in reporting not only hinders transparency butalso impacts the ability to effectively manage and communicate the status of cybersecurity efforts.The findings highlight a critical need for organizations to develop more robust and measurableframeworks for tracking remediation efforts, ensuring that progress can be effectively monitoredand communicated in line with SLA requirements.

Estimated financial impact of the breach

The average cost of a cloud breach amounts to approximately $7,290,353.31 per breach. This figurenotably exceeds the global average of $4.45 million per breach1, as reported in a recent study, and iscloser to the U.S. average of $9.48 million per breach1. This substantial financial burden underscoresthe severity of security breaches and the importance of robust cybersecurity measures. Thehigh cost associated with breaches reflects direct expenses like remediation and legal fees andencompasses indirect costs such as reputational damage and loss of customer trust, emphasizingthe far-reaching consequences of cybersecurity incidents.

Demographics

The survey was conducted online by CSA in December 2023, and 2,037 responses were receivedfrom IT and security professionals from organizations of various sizes and locations.

Survey Creation and Methodology

The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to widely promotebest practices for ensuring cybersecurity in cloud computing and IT technologies. CSA alsoeducates various stakeholders within these industries about security concerns in all other formsof computing. CSA’s membership is a broad coalition of industry practitioners, corporations, andprofessional associations. One of CSA’s primary goals is to conduct surveys that assess informationsecurity trends. These surveys provide information on organizations’ current maturity, opinions,interests, and intentions regarding information security and technology.

Dazz commissioned CSA to develop a survey and report to better understand the industry’sknowledge, attitudes, and opinions regarding security remediation. Dazz financed the project andco-developed the questionnaire with CSA research analysts. The survey was conducted online byCSA in December of 2023 and received 2,037 responses from IT and security professionals fromorganizations of various sizes and locations. CSA’s research analysts performed the data analysisand interpretation for this report.

The Goals of the Study

The primary objectives of the survey were to gain a deeper understanding of:

  • Current cloud environments and security tools
  • Challenges in today’s remediation practices
  • Opportunities to lower risk and improve security and developer team efficiency
Thank you for your interest in:

The State of Security Remediation 2024

Download Now

The State of Security Remediation 2024

February 14, 2024

Resources

There’s more to explore.

No items found.

See Dazz for ᅠyourself.

Get a demo