Study "Security as a Service 2023" – Deceptive self-assessment sets the tone

Vienna/Munich, August 22, 2023 – Digitalization experts A1 Digital publish a study on the state of IT security in the DACH region in 2023(i) in cooperation with Foundry (CIO, CSO and COMPUTERWOCHE). More than 70 percent of businesses in Germany, Austria and Switzerland feel adequately prepared for attacks on their company, data and infrastructure. By contrast, 48 percent of individuals in charge with the aftermath of cyberattacks report significant damage. According to their own evaluation, 62% of surveyed businesses saw the process from recognition to assessment of an emergency to finally triggering crisis management action consume hours or even days. The worst cases saw those affected unable to adequately judge the situation. The disastrous conclusion: a comprehensive concept of deterrence does not exist in these companies.

Self-assessment as a risk factor

In the survey, businesses give a positive self-assessment of their security expertise. Overall, 73 percent of companies rate their cyber risk and cyberattack detection capabilities as "good" or "very good". So-called CRITIS operators, i.e. companies operating critical infrastructure, are particularly self-confident: 79 percent rate their capabilities as no less than "good," compared to around 60 percent of non-CRITIS companies. There are even greater differences in self-assessment within a company’s various departments. 81 percent of decision-makers in the IT area feel able to adequately detect cyberattacks. Specialist departments (50 percent) and management (66 percent) show less confidence. However, even after major incidents, 80 percent of affected companies rate their defense as "good" or "very good". Businesses see their biggest technical challenge in the growing threat of increasingly complex cyberattacks and lack of information on the value of the affected data and processes (45 percent each). "As the study shows, self-awareness in the world of cybersecurity is often deceptive and can lead to a false sense of security," explains Thomas Snor, Director of Cyber Security at A1 Digital. "Companies need to recognize the complexity and multilayered nature of threats. It is not enough to rely on past successes. Instead, it is critical to be proactive, adjust strategies regularly and adapt to the ever-changing landscape of cyber threats."

CISO or IT?

Surprisingly, CIOs with 22 percent, not CISOs (11.5 percent), have the greater influence on security decisions. The CIOs' decision-making power over security services increases proportionate to company size. "Only 12 percent of CISOs actually make security decisions; most of them are made by the CIO," says Snor. "In my opinion, the CISO would be better placed within the CFO's organization, where risk management and assessment sit. There, the burning question of data value in the context of overall risk to the business can be most competently answered."

The human factor as a weakness as well as scarce resource

Just under 37 percent of those questioned list negligent employees as the reason for successful attacks. Conversely, employee training and a lack of IT security experience are named as being among the top three biggest challenges, demonstrating a certain level of critical self-reflection. Almost one in five respondents complain about a shortage of IT security professionals in connection with future organizational challenges.

A question of organization

44 percent of companies see their greatest organizational challenge in the area of IT security in the implementation of security standards, 39 percent in compliance monitoring. Only a quarter of businesses cite budgets as being major obstacles. Company size influences perception: of large companies with more than 1,000 staff, just under 50 percent see the implementation of standards as a challenge compared to 44 percent of companies with fewer than 500 employees. CRITIS organizations rate the challenge of retaining standards as 43 percent lower than non-CRITIS operators (48 percent). From a technical perspective, complex cyberattacks (45 percent of respondents), lack of threat information (45 percent) and data cloud backup (43 percent) are cited as being the three biggest challenges. It is also worth noting that only three percent of companies do not use a service provider for their IT security. 28 percent rely on at least one, and more than half of businesses retain the support of two to five service providers. Overall, companies are increasingly outsourcing IT security tasks. Almost 40 percent rely on service providers to monitor security policies and implement security processes as well as technical systems. The relevant service provider’s trustworthiness is essential in this context, and 47 percent of respondents expect the outsourced service to be based in Germany.