Which cybersecurity controls are organizations struggling with?
How are organizations performing across cybersecurity controls in the Minimum Viable Secure Product (MVSP) framework? A recent analysis by Bitsight and Google reveals some good and some bad results – and room for improvement.
What is MVSP?
Minimum Viable Secure Product (MVSP) is a baseline security checklist for B2B software and business process outsourcing suppliers, consisting of 25 controls across four key areas – Business, Application Design, Application Implementation, and Operational.
For the “Cybersecurity Control Insights: An Analysis of Organizational Performance” study, Bitsight and Google collaborated to create a methodology to measure organizational cybersecurity performance using Bitsight analytics across the MVSP framework.
The study analyzed the cybersecurity performance of nearly 100,000 organizations around the world across nine industries. Bitsight mapped its risk vectors to 16 of the MVSP controls and reported performance in 2023 and over time (most recently March 2023). Google validated the statistical approach employed in this analysis.
Are organizations meeting cybersecurity performance standards?
The study found that while every industry in 2023 has a high Pass rate for 10 of the 16 MVSP controls studied, many organizations are still failing on controls critical to protecting themselves against cyber incidents.
The findings indicate that organizations across all industries have several areas in which they must improve their vulnerability management program to reduce exposure to potential breaches.
Notably, 2023 Computer Software industry Fail rates for Dependency Patching and Time to Fix Vulnerabilities — which map to Bitsight analytics correlating to the likelihood of a breach — did not improve from 2020 rates as much as the macro average, leaving other industries vulnerable to third-party risk given their reliance on computer software.
But, organizations did have near-100% Pass rates for the following areas:
- Data handling
- Incident handling
- Logical access
They also had high Pass rates for Customer training (contributing to a safer third-party digital ecosystem) and Training (organizations are taking training efforts seriously as human error can have serious consequences).
Organizations across all industries are struggling with controls critical to the health of an organization’s vulnerability management program, Bitsight found.
Eight MVSP controls that are important for vulnerability management – External Testing, Self-assessment, Vulnerability Prevention, Encryption, HTTPS-only, Security Headers, Dependency Patching, Time to Fix Vulnerabilities – have either high 2023 Fail rates, low Pass rates, or both, across all industries.
Finally, there has been a decline in use of security headers, including in the computer software industry.
“We expected CS to outperform in most respects but that is not what we observed. CS’s stagnation — and at times underperformance — may be attributed to many factors, including workforce challenges, rising asset inventories, lacking cybersecurity tools, and more,” the analysts noted.
Keeping up with threats
Business leaders around the world need to understand where their companies’ vulnerabilities lie and how they match up with others to better manage increasingly complex cyber risks and stakeholder demands. By understanding the pass and fail rates of MVSP controls organizations will be better armed with the knowledge to benchmark their security performance and improve their cybersecurity strategies to mitigate and reduce vulnerability.
“It is more important than ever for business leaders to be fully aware of the organization’s application security risk, and how they are performing compared to their peers,” said Chris John Riley, Staff Security Engineer, Google.
“If organizations want to build and maintain a mature security posture in today’s turbulent and fast moving environment, they need leaders that prioritize security management and a culture of constant improvement. Using frameworks like the MVSP, organizations can take the initial necessary steps to develop a strong security culture within their organizations.”