The second annual State of Cyber Assets Report (SCAR) is now available, closely analyzing the cyber assets and security findings from small, mid, and enterprise organizations using JupiterOne.
Not only does the SCAR offer insights into these data points, but it also provides a valuable comparison to last year’s inaugural report. If you aren’t already familiar with the inaugural report, it was, as far as we’re aware, the first report to analyze cyber assets, asset categories, and security teams as closely as it did.
Each report contains valuable insights and analysis to help technology and security leaders understand their cyber asset landscape and attack surface better. As part of our commitment to making unified cyber insights a central part of your cybersecurity program, it’s our hope the SCAR will help security teams develop more effective security approaches thanks to a greater understanding of what they are tasked to protect.
The volume of cyber assets is growing
This should come as no surprise to anyone who works in technology, or really in any area of business. The number of cyber assets is growing. In the 2023 SCAR, we found that the average security team is responsible for 393,419 cyber assets, a 133% increase over 165,000 in 2022.
Let’s stop for a moment to think about that. For inspiration, I looked back on my colleague Ashleigh’s blog announcing the SCAR last year, where she equated each cyber asset to a drop of water. It’s a colorful visualization and it serves to underscore the volume of cyber assets and the pressure this volume puts on security teams.
What about the financial value (and pressure) of cyber assets? To follow Ashleigh’s use of analogies, let’s turn our eyes to the sky.
Cyber assets are valuable
The average number of cyber assets (393,419) is very close to the average distance between the earth and moon (382,500 kilometers). Given that it took the Apollo astronauts three days to fly there, that’s a hefty number, but it doesn’t tell the whole story.
The 2023 State of Cyber Assets Report calculates the mean value of each cyber asset to its organization, a simple equation: Total Number of Assets / Market Capitalization. The first part of that equation, the average number of cyber assets referenced previously, is 393,419 per organization. We used a cross-section of publicly available records to come up with the best estimate for the average market capitalization number. This value, $17,711, demonstrates that cyber assets are worth the effort to understand, prioritize, and protect.
Going back to our moon analogy, the first Apollo landing mission, Apollo 11, cost $355m in 1969. Adjusted for inflation to today’s value, that mission cost NASA roughly $3,700 per kilometer, round trip. Every cyber asset is worth nearly $14,000 more than a kilometer of flight to the moon.
To quote virtually everyone on social media who gets excited about a spike in any cryptocurrency’s value, “To the moon!” indeed.
Other interesting findings in the SCAR
The State of Cyber Assets Report is the culmination of deep analysis into some seriously large numbers. The findings in the report will hopefully give security leaders and practitioners some ‘a-ha!’ moments and offer perspective on their own security practices and methodology.
Here are just a few notable findings from the report:
- Visibility across data sources. The average security team correlates data from 8.67 different security data sources. While more data might be construed as better or a sign of a mature security posture, that isn’t necessarily the case, and these teams are likely depending on more than just the attributed security data sources found during our research.
- DATA and DEVICES top vulnerable superclasses. By far the most vulnerable of the superclasses, DATA and DEVICES collectively represent 96.35% of all unresolved security findings analyzed in the SCAR.
- Multiple cloud accounts. On average, security teams at small organizations have over 171 AWS, GCP, and Azure accounts (including projects and subscriptions, to secure. Large organizations, on average, must secure 225 accounts across these services, and mid-sized organizations have over 559 cloud accounts to secure.
Over the coming weeks, we’ll welcome several members of our team to comment on specific findings from the 2023 State of Cyber Assets Report here on the blog. We’ll also be holding a webinar about the report on Wednesday, April 19 at 1PM EDT. Register today to reserve your seat and get access to the on-demand recording!
In the meantime, be sure to download your copy of the 2023 SCAR, and hopefully we’ll talk to you on April 19!