- OTRS Group survey shows U.S. companies are far from exhausting existing possibilities for more IT security
- Less attention paid to vulnerability management than in previous year despite increased threat level
- Trust in governmental providers of information on vulnerabilities increased massively
Cupertino, CA, 15 December 2022 – In the coming year, U.S. companies will face the mammoth task of equipping themselves for the threat level in cyberspace, which has further increased since the start of the war in Ukraine. Fortunately, the U.S. is leading the pack in regards to technology tool support compared with other countries such as Germany, Mexico, Brazil and more. For example, less than one-third (32 percent) in Germany currently use security, orchestration, automation and response software (SOAR) as part of their incident management processes. In the U.S. and Singapore, this figure is twice as high (65 percent). Though, it is worth noting that the use of vulnerability management tools has dropped by five percent in the U.S., so there is room for improvement.
There is also a lack of awareness about where serious threats to IT security lurk. Just over one in two U.S. or Singaporean security teams (57 percent) has had difficulty applying a patch because they were using an older software version. Half (50 percent) say the reason for this is that they were not aware of the severe consequences and the same number indicate that they were trying to save money. These are findings of the second part of the current study “OTRS Spotlight: Corporate Security”, for which the software company OTRS Group, in collaboration with the market research company Pollfish, surveyed 500 employees in IT security teams worldwide, including in the U.S.
SIEM, SOAR, vulnerability management: benefits clear, usage expandable
The benefits of tools such as a SOAR seem clear to many IT security staff surveyed, but it is particularly noticeable in the U.S., where 91 percent of those surveyed in the U.S. and Singapore either have SOAR in place or are planning to implement such software. The return on investment is promising: Two-thirds of respondents worldwide who are already using a SOAR see that it makes working with IT easier. Similarly, 56 percent indicate that it protects them from the impacts of future security incidents; another 44 percent say that it improves response times. However, six percent of U.S. companies still have no plans whatsoever to introduce a SOAR. Another four percent quite simply do not know whether they are already using or planning to introduce one.
Tools for security information and event management (SIEM) (86 percent) and vulnerability management (87 percent) are used much more frequently in the U.S. than SOAR software, and still more frequently than in the average of all the countries surveyed (77 and 81 percent). Vulnerability management tools primarily help those who already use one to find vulnerabilities faster (69 percent), to close them and act more securely (66 percent), and to structure and document them (68 percent).
Lack of investment hinders effective IT security
It is not just a lack of investment in additional tools that makes it difficult for IT security teams to effectively protect their organizations. For solutions that are already in use, the push for cost savings also increase the security risk. 50 percent cite wanting to save money as a reason for having used an outdated software version and therefore not being able to apply a patch in the past. In addition to awareness about the severe consequences of using outdated software or saving money, 34 percent also lacked knowledge that a new version was available.
“Every day, new attacks on the IT of companies from all industries and of all sizes become known to the public. Despite this, many still neglect the issue and do not give their IT and security teams the necessary means to protect themselves as well as possible against cyberattacks and to be prepared for the worst-case scenario – either because they underestimate the threat or shy away from the necessary investments,” Christopher Kuhn, COO of OTRS Group and general manager of OTRS Inc., points out. “These companies are playing with fire. Skimping on technical tools for IT security is like a fire department without a fire truck. Tools won’t be able to fend off every single attack attempt, but they will minimize the damage.”
Question of trust? Commercial providers lose out to the state
The usage of different sources of information on vulnerabilities has seen some shifts compared to the previous year. Just over half of U.S. security teams currently obtain information on vulnerabilities from commercial providers (58 percent). This makes them the most popular source, having grown from last year they when they accounted for 54 percent. Vendors have lost popularity (-29 percent). Meanwhile, governmental providers of information on vulnerabilities have seen an uptick. While 21 percent trusted the government in this matter in 2021, more than a third (35 percent) did so this year. The same trend can be observed across all countries surveyed.
Incident management plan in place as a foundation
The foundation for a solid IT security infrastructure is having an incident management plan. More than two thirds (70 percent) have found it particularly helpful in optimizing their IT security efforts and avoiding more serious consequences. Four in ten (41 percent) know what to do right away thanks to the incident management plan, and 58 percent say it has helped them find out why incidents have happened.
When it comes to mapping their security processes as part of security incident management, U.S. and Singaporean companies often combine several frameworks. CERT (52 percent) is used most frequently, followed by ISO27035 (45 percent), NIST (44 percent), and KRITIS (40 percent). Only 4 percent do not use a single framework to map their security processes.
“The foundation for strong IT security is now in place in the vast majority of companies. Now, it is important to expand on this, because incident management plans alone are not enough to be able to act securely and thus secure one’s own business in the long term,” says Christopher Kuhn. “On the one hand, the focus should be on raising awareness of sources of security risks and necessary preventive measures throughout the company. On the other hand, executives should not hesitate any further to invest in tools that support their team in increasing security and being able to react quickly and effectively in an emergency.”
About the survey
The data used is based on an online survey by Pollfish Inc. in which 500 employees in IT security teams in Germany, the U.S., Brazil, Mexico and Singapore participated between October 6, 2022, and October 22, 2022, including 200 in the U.S. and Singapore combined. The same survey was conducted in 2021, with the exception of the questions on developments since the start of the war in Ukraine. The results of this survey were used for comparisons with the previous year.
The results of the first part of the study are available here.
About OTRS Group
OTRS Group is the manufacturer and the world’s largest provider of the enterprise service management suite OTRS, awarded with the SERVIEW CERTIFIED TOOL seal of approval. It offers companies industry-independent solutions for structured communication in customer service, IT service management and security management. In addition to the core product OTRS, the security solutions STORM and CONTROL ensure efficient cybersecurity incident management and transparent documentation in accordance with standards such as ISO 27001.
Among its customers are Lufthansa, Airbus, Porsche, BSI (Federal Office for Security in Information Technology), Max Planck Institute, Toyota and TUI Cruises. The company consists of OTRS AG and its five subsidiaries OTRS Inc. (USA), OTRS S.A. de C.V. (Mexico), OTRS Asia Pte. Ltd. (Singapore), OTRS do Brasil Soluções Ltda. (Brazil) and OTRS Magyarország Kft. (Hungary). OTRS AG is listed on the basic board of the Frankfurt Stock Exchange.
For more information, see www.otrs.com.