Where Are You on the Cybersecurity Readiness Index? Cisco Thinks You’re Probably Overconfident

Cisco’s new Cybersecurity Readiness Index is out, providing a useful gauge for understanding the cyber landscape. It all comes down to confidence—or, instead, overconfidence.

One of the most repeated phrases in the Star Wars universe comes from Episode IV when Luke Skywalker blows up a TIE fighter. Luke excitedly yells out, “Got him! I got him!” With his years of wisdom, Han Solo tries calming him down by saying, “Great, kid! Don’t get cocky!”

That is the main takeaway from Cisco’s new report, a survey of 8,000 leaders in cyber and business across 30 markets. As effective as we might be at keeping our assets secure, we remain in a tenuous position. One false move or an ounce too much confidence, and we’re toast.

In his introduction to the index, Jeetu Patel, EVP and GM of Security and Collaboration at Cisco (aka the Han Solo of Cisco), brings that point home. “We cannot underestimate the threat posed by our own overconfidence,” he said. Today’s organizations need to prioritize investments in integrated platforms and lean into AI to operate at machine scale and finally tip the scales in favor of defenders.”

With that, let’s look at some of the key findings.

Cybersecurity readiness is lacking

Regarding readiness in today’s threat environment, an overwhelming 71% of organizations fall into the “Formative” or “Beginner” categories. This is an alarming statistic. Cisco says that only 3% of organizations (down from 15% a year ago) fall into the “Mature” category here—think of them as being ready to handle the threats that might come their way. Discounting the 26% of people who say they are progressing on the learning curve still leaves some 97% of respondents with significant vulnerabilities.

This shows how, despite advancements in technology, security practitioners continue to fall behind for several reasons, including increased complexity, a growing attack surface, and threat actors leveraging AI. Simplification is a big driver for the platformization of security, which is one of the benefits of its Security Cloud.

Incidents are no longer an “if” but a “when”

Cybersecurity incidents are a fact of life. Indeed, 73% of respondents said a cybersecurity incident will disrupt their business in the next 12 to 24 months. The company writes that the “cost of being unprepared can be substantial, as 54% of respondents said they experienced a cybersecurity incident in the last 12 months, and 52% of those affected said it cost them at least US$300,000.”

This is an area in which I’m positive most companies “don’t know what they don’t know.” I applaud Cisco for trying to quantify how many breaches companies will experience and the average cost. In reality, when I talked to security leaders post-breach, they had no idea when the breach occurred, how long the threat actor was in the environment, and the financial impact was an estimate. I suspect that the number of breached organizations is closer to 70% and the costs are significantly higher. Even if that number is accurate, it’s large enough to be a warning that security strategies need a rethink.

Cybersecurity budgets increase as companies try to stem the tide

Looking to avoid disaster, 97% of companies plan to increase their cybersecurity budgets in the next 12 to 24 months (86% say their budgets will increase by 10% or more). Some 52% of companies say they plan significant IT infrastructure upgrades in the same period, much more than the 33% with a similar plan last year. Upgrades are coming for existing solutions (66%), the deployment of new solutions (57%), and AI-driven investments (55%).

Readiness is low, but confidence is high

As we noted, cybersecurity readiness is alarmingly low across the board. However, that’s not reflected in the confidence of the companies that responded to the Cisco study. Some 80% of respondents, down slightly from last year, say they’re moderate to very confident in their ability to stay resilient. Cisco believes their confidence is misplaced and that they have not assessed the scale of their challenges.

I agree that confidence will only get companies in trouble. With cyber security, it’s best to maintain a healthy paranoia and plan for the worst. No one thinks they’ll get in a car accident from texting on their phones until it happens. That’s when people change their behavior.

So many gaps, so little time

There are many other revealing takeaways in this nearly 30-page report. But there’s nothing more alarming that—even after decades of having it driven home and having boardrooms and c-suites supposedly buy in—cyber threats are still taken too lightly. There are gaps in maturity, coverage, talent, and self-awareness.

The underlying cause of these gaps is hard to pin down. But it likely comes from how we can all hold contradictory beliefs in our heads simultaneously. We can all freely acknowledge that cybersecurity is a significant threat. But when we look at our estate, even when presented with data, we think we’re immune. “Got him! I got him!”

This cognitive dissonance will almost certainly lead to the career demise of overconfident cybersecurity professionals, CISOs, and CIOs. And maybe even a few companies.

The numbers don’t lie. Don’t get cocky.

Zeus Kerravala is the founder and principal analyst with ZK Research.

Read his other Network Computing articles here.

Related articles: