The inaugural State of Cyber Assets Report (SCAR) offers insights from over 370 million cyber assets across 1270 organizations. We conducted this research to understand how the proliferation of software-defined assets has changed the topology of attack surface management and security best practices.
If every cyber asset in this dataset was represented by a drop of water, the whole dataset would equate to nearly 5,000 gallons of water. That's enough water to fill the average guest bedroom in the U.S. (10' x 10' x 8') with just enough space to keep one's head above water.
Organizations are drowning in cyber assets.
What does this mean for individual security professionals?
On average, there are 0.106 cybersecurity professionals per single U.S. business entity1, which means there are approximately 135 security professionals across the 1270 organizations in the report's dataset carrying the weight of cyber assets.
Considering that a gallon of water weighs about 8lbs, that's nearly 5,000 gallons spread across 135 security professionals (at 1270 organizations) which means each carries about 290 lbs.
The average person can't even squat the equivalent of their body weight, let alone 300lbs.
It's no wonder why burnout is so rampant in the security profession.
Unfortunately, the pure volume of cyber assets isn't the only thing that's contributing to the chaos. The complexity of relationships between cyber assets and their attributes are additional elements of a perfect storm in a rapidly changing attack surface landscape.
The 2022 State of Cyber Assets Report dives into:
- The superclasses of cyber assets like devices, networks, applications, data, and users
- The attributes of these cyber assets such as findings and policies
- The relationships between the attributes and cyber assets
- Common queries and questions about cyber assets
Top findings include:
- The Attack Surface is Expanding: The average security team is responsible for 165,633 cyber assets, including 28,872 cloud hosts, 12,407 network interfaces, 55 applications per human employee, 59,971 data assets (including 3,027 secrets), and 35,018 user assets.
- Alert Fatigue is Nothing New: The average security team is facing a backlog of 120,561 findings and alerts awaiting review.
- Cloud Assets Dominate: Nearly 90 percent of device assets in the modern organization are cloud-based, meaning physical devices such as laptops, tablets, smartphones, routers, and IoT hardware represent less than 10 percent of total devices.
- High Levels of Third-Party Risk: 91.3% of code running in the enterprise is developed by a third-party, meaning that modern organizations are incredibly vulnerable to supply chain attacks.
- Orphaned Assets are a Myth: While previously believed to be heavily isolated, users, networks, and devices are hardly ever on an island considering their rampant first-degree relationships to mission-critical data.
In the coming weeks, we'll share more highlights and learnings across the following topics:
- The expanding attack surface
- Outdated skills training
- Cloud-native architecture
- Software supply chain
- Security blind spots
Lastly, here is an infographic showcasing data from the report (click to enlarge):