Introducing the 2022 State of Cyber Assets Report

By

The inaugural State of Cyber Assets Report (SCAR) offers insights from over 370 million cyber assets across 1270 organizations. We conducted this research to understand how the proliferation of software-defined assets has changed the topology of attack surface management and security best practices.

If every cyber asset in this dataset was represented by a drop of water, the whole dataset would equate to nearly 5,000 gallons of water. That's enough water to fill the average guest bedroom in the U.S. (10' x 10' x 8') with just enough space to keep one's head above water.

Organizations are drowning in cyber assets.

What does this mean for individual security professionals?

On average, there are 0.106 cybersecurity professionals per single U.S. business entity1, which means there are approximately 135 security professionals across the 1270 organizations in the report's dataset carrying the weight of cyber assets.

Considering that a gallon of water weighs about 8lbs, that's nearly 5,000 gallons spread across 135 security professionals (at 1270 organizations) which means each carries about 290 lbs.

The average person can't even squat the equivalent of their body weight, let alone 300lbs.

It's no wonder why burnout is so rampant in the security profession.

Unfortunately, the pure volume of cyber assets isn't the only thing that's contributing to the chaos. The complexity of relationships between cyber assets and their attributes are additional elements of a perfect storm in a rapidly changing attack surface landscape.

The 2022 State of Cyber Assets Report dives into:

  • The superclasses of cyber assets like devices, networks, applications, data, and users
  • The attributes of these cyber assets such as findings and policies
  • The relationships between the attributes and cyber assets
  • Common queries and questions about cyber assets

Top findings include:

  • The Attack Surface is Expanding: The average security team is responsible for 165,633 cyber assets, including 28,872 cloud hosts, 12,407 network interfaces, 55 applications per human employee, 59,971 data assets (including 3,027 secrets), and 35,018 user assets.
  • Alert Fatigue is Nothing New: The average security team is facing a backlog of 120,561 findings and alerts awaiting review.
  • Cloud Assets Dominate: Nearly 90 percent of device assets in the modern organization are cloud-based, meaning physical devices such as laptops, tablets, smartphones, routers, and IoT hardware represent less than 10 percent of total devices.
  • High Levels of Third-Party Risk: 91.3% of code running in the enterprise is developed by a third-party, meaning that modern organizations are incredibly vulnerable to supply chain attacks.
  • Orphaned Assets are a Myth: While previously believed to be heavily isolated, users, networks, and devices are hardly ever on an island considering their rampant first-degree relationships to mission-critical data.

In the coming weeks, we'll share more highlights and learnings across the following topics:

  • The expanding attack surface
  • Outdated skills training
  • Cloud-native architecture
  • Software supply chain
  • Security blind spots

Get the full report today and sign up for our webinar highlighting the key research findings on March 28 at 11am PDT.

Lastly, here is an infographic showcasing data from the report (click to enlarge):

2022-state-of-cyber-assets_infographic

Footnote

[1] (ISC)2 Cybersecurity Workforce Study 2021

Ashleigh Lee
Ashleigh Lee

I binge on noodles and do marketing things.

To hear more from Ashleigh, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.