CyCognito and ESG Find 73% of Cybersecurity and IT Pros Use Spreadsheets to Manage Security Hygiene and Posture

The majority of organizations report they have been breached via unknown or poorly managed assets, proving traditional approaches to external attack surface management have failed.

CyCognito recently announced new research that shows security teams struggle to keep pace as attack surfaces rapidly expand with adoption of cloud, SaaS and IOT technology, M&A and digital supply chain growth.  According to the new ESG Security Hygiene and Posture Management research report,  organizations are challenged to prioritize how to most effectively reduce cyber risk, and even determine which digital assets are business-critical. With 69% of organizations attacked via blind spots, it’s clear spreadsheet-based manual processes are failing to deliver adequate security hygiene and posture management or prevent breaches.

A clear sign that organizations can do better: 73% of respondents say that “spreadsheets remain a key aspect of security hygiene and posture management.”  That approach translates directly to time-consuming and error-prone processes built around aggregating and analyzing data manually. With too many tools to reconcile, and too many security gaps to fix, security and IT professionals’ time is stolen away from more valuable activities such as remediating the critical risks attackers target.

Organizations must reassess how they do security hygiene and posture management or they will continue to be breached through security gaps that manual process and first generation attack surface management tools miss. The good news is that the ESG research shows that organizations plan to invest more in products that automate and scale to address this gap, a category ESG calls Security Observability, Prioritization, and Validation (SOPV) products.

Top findings from the research include:

— Almost 75 percent agree that spreadsheets remain a key aspect of security hygiene and posture management.

— Nearly 7 in 10 admit they  have had a cyber attack that started through an unknown, unmanaged or poorly managed internet-facing asset.

— 67 percent of organizations have seen an increase in their attack surface in the last two years, and this increase is even notable for organizations with more IT assets. This means that the challenge is only getting bigger, and adds urgency to finding a solution.

— Nearly 6 in 10 admit that their organizations struggle to understand which assets are business-critical.

— 61 percent admit that while their organization understands the importance of security hygiene and posture management, they find it difficult to prioritize the right actions that can have the biggest impact on cyber-risk reduction. 

“The data from this research tells a clear story: there is an entire slice of the enterprise security ‘stack’ that is weak and, surprisingly, it’s one of the foundational layers in the stack,” stated Jon Oltsik, Senior Principal Analyst and ESG Fellow. “Security hygiene and posture management is a broad category of requirements that organizations have to master, or they leave themselves open to being breached via  the types of blind spots attackers regularly seek.” Oltsik added, “Increased spending on defensive and reactive measures cannot eliminate those gaps. Organizations realize this, and that’s reflected in their plans to spend more on SOPV solutions.”

“This research aligns closely with what we see in the market, that gluing together data from asset management, vulnerability assessment, and threat intel feeds, or even using first-generation attack surface management solutions, is no match for attacker techniques,” said Rob Gurzeev, CEO & Co-Founder of CyCognito. “Security and IT operations teams get bombarded with thousands of critical alerts, but can remediate just a few each month, maybe 50 out of thousands.”

Gurzeev added, “Meanwhile, attackers simply look for the path of least resistance and successfully breach their targets’ networks, applications and data. Our Attack Surface Protection platform delivers multiple SOPV capabilities and gives CISOs and their security teams the ability to decrease the mean time to remediate security gaps from months to days, or even hours, and report on progress and security posture to key stakeholders.”

The research was sponsored by CyCognito and conducted by ESG who surveyed IT and cybersecurity professionals to understand the state of the “security hygiene and posture management” market, what ESG describes as a category that cuts across attack surface management, asset management, vulnerability management, and penetration testing.

To get the full report, please visit: