After double-digit growth in the past two years, cybersecurity budgets expanded more modestly in 2023. Plus, a survey offers an inside look at how organizations are grappling with cyber challenges. In addition, the U.S. and Japan warn about a China-linked group that’s stealthily compromising network devices. And much more!
Dive into six things that are top of mind for the week ending September 29.
Cybersecurity teams on average saw an increase in their 2023 budgets, but the bump was much smaller than in previous years, as organizations across the board reined in IT spending.
That’s the main takeaway from the “2023 Security Budget Benchmark Report” released this week by IANS Research and Artico Search, which surveyed 550 CISOs and security executives. The report is now in its fourth year.
Specifically, cybersecurity budgets grew an average of 6%, much lower than the 17% growth in 2022 and, according to an IANS Research official, not high enough for CISOs to counter the increasingly sophisticated and aggressive cyberthreats their organizations face.
"The incremental growth in cybersecurity budgets is insufficient relative to the increases in scope facing security teams," Nick Kakolowski, Senior Research Director of IANS Research, said in a statement.
However, even with smaller budget increases, cybersecurity teams are doing better than other IT teams, as evidenced by the fact that the cybersecurity slice of the overall IT budget once again grew – reaching an average of 11.6%, up from 9.9% in 2022 and 8.6% in 2020.
Overall, 63% of organizations increased their cybersecurity budgets. Among those, the ones that got the largest bumps – an average increase of 27% over 2022 – attributed it primarily to highly publicized breaches.
And what’s the biggest item on cybersecurity budgets? That goes to staff and compensation, with a 38% share of the budget.
(Source: “2023 Security Budget Benchmark Report” from IANS Research and Artico Search, September 2023)
To get more details, check out the report’s announcement and a blog about the report, and download the full report.
For more information about cybersecurity budgeting:
Wondering how other companies are dealing with cybersecurity issues like cyber insurance, third-party attacks, budget allocation, staffing and ransomware payments? Check out InformationWeek’s “Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023.”
Based on a survey of 180 IT executives and cybersecurity professionals, the report offers a fascinating view into how enterprises are tackling a wide variety of complex and often vexing questions about how to best manage cyber risk and attain IT resiliency.
Let’s take a look at a sampling of the report’s findings.
(Source: InformationWeek’s “Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023” report, August 2023)
To get more details, read the report’s announcement, download the report and check out an infographic.
BlackTech, a group of hackers associated with the Chinese government, is stealing intellectual property and confidential data from U.S. and East Asia organizations by stealthily tampering with router firmware.
So said the U.S. and Japanese governments this week in the joint advisory “People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices,” in which they detail BlackTech tactics, techniques and procedures, and offer detection and mitigation recommendations.
“BlackTech activity targets a wide range of public organizations and private industries across the U.S. and East Asia. We encourage all organizations to review the advisory, take action to mitigate risk, report any evidence of anomalous activity, and continue to visit cisa.gov/china for ongoing updates,” Eric Goldstein, CISA’s Executive Assistant Director for Cybersecurity, said in a statement.
BlackTech attackers typically compromise routers and other network devices from subsidiaries by exploiting known vulnerabilities that the targeted organizations have left unpatched. Then they breach headquarters’ networks, where they use “living off the land” techniques to remain undetected.
Top network device CVEs exploited by PRC state-sponsored cyber actors
(Source: “People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices” advisory from the U.S. and Japan governments, September 2023)
The group targets Windows, Linux and FreeBSD operating systems using remote access tools (RATs) and custom malware, including BendyBear, FakeDead and FlagPro.
Recommendations include:
To get more details, read the joint alert, the joint announcement and the full advisory.
For more information about this advisory:
The Open Source Security Foundation (OpenSSF) has produced an initial version of a threat model aimed for users of open source software (OSS) interested in preventing supply chain attacks.
The threat model is intended to help organizations assess and prioritize OSS supply-chain risks, as well as identify security weaknesses and gaps. It starts with “a very high-level depiction of a typical enterprise open source software consumer with common software assets,” wrote Jonathan Meadows, chair of the OpenSSF End Users Working Group, in a blog announcing the threat model.
“This model then details high-level threats against each component. Many of these threats should resonate as they have been actively attacked and reported in the media,” added Meadows, who is also a Citi Tech Fellow and the Head of Cloud, Application and Software Supply Chain Security at Citi.
Architecture diagram of a large in-house development organization
(Credit: OpenSSF)
Anyone interested in helping to further develop this threat model is invited to participate in the OpenSSF’s End Users Working Group, which gets together weekly at 9:30 am PT on Monday and bi-weekly on Thursday at 7:00 am PT. No threat modeling experience is required.
For more information about software supply chain security:
VIDEO
Top 5 Things to Know About Supply Chain Attacks (TechRepublic)
While much attention has been placed on the risks of software supply chains, security teams shouldn’t overlook the dangers of insecure hardware components in their IT environments. If this is an area your organization would like to beef up, check out the "Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management" document that CISA published this week.
The document aims to give buyers more clarity into hardware supply chains so they can better assess the safety and regulatory compliance of components they own or plan to buy. To that end, the framework offers the following:
The 33-page document has three main sections:
“The framework’s objective is to set forth a reliable and predictable structure for HBOMs and a set of clearly defined data fields of HBOM components and their attributes, promoting efficiencies across the ICT (information and communications technology) sectors for a variety of use cases,” reads the document.
For more information about HBOMs and hardware security:
VIDEO
CISA Releases Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management (SCRM) (CISA)
Are you involved with securing identity systems? If so, you might be interested in perusing a newly updated CISA reference architecture.
The “Continuous Diagnostics and Mitigation Program: Identity, Credential, and Access Management (ICAM) Reference Architecture” explains how to integrate identity and access management (IAM) systems into ICAM architectures.
The intended audiences for the reference architecture are U.S. federal civilian departments and agencies, but the document probably has value for anyone tasked with protecting IAM systems, if only to learn how CISA is thinking about the matter.
The latest rev – version 1.3 – was released this month, featuring new information about zero trust. “Prior to this release, there was no singular, authoritative, and recognized reference for architecting an ICAM capability across an enterprise,” reads CISA’s announcement.
Topics include:
To get more details, read CISA’s announcement and the full 68-page document.
Juan has been writing about IT since the mid-1990s, first as a reporter and editor, and now as a content marketer. He spent the bulk of his journalism career at International Data Group’s IDG News Service, a tech news wire service where he held various positions over the years, including Senior Editor and News Editor. His content marketing journey began at Qualys, with stops at Moogsoft and JFrog. As a content marketer, he's helped plan, write and edit the whole gamut of content assets, including blog posts, case studies, e-books, product briefs and white papers, while supporting a wide variety of teams, including product marketing, demand generation, corporate communications, and events.