Security is ever-evolving to the point that success can feel elusive, even for organizations with massive budgets. This global study of over 4,800 professionals aims to move past theory to empirically measure which security practices actually drive successful program outcomes. We analyze 25 security practices against roughly a dozen high-level objectives—from enabling the business to…
Since the first internet-connected vending machine, the “Internet of Things” has exploded into a global conflagration, yet security remains a persistent afterthought. This report shifts the focus from consumer to enterprise IoT, examining how exposed devices—from cameras to printers—affect the risk surface of more than 35,000 organizations. We investigate whether these devices are just isolated…
Cybersecurity is a continuous game of cat-and-mouse, but who actually owns the momentum? This sixth volume investigates the entire vulnerability lifecycle—from reservation and publication to exploitation and remediation—to identify the forces that widen or shrink the attacker-defender divide. We track 18,000 CVEs to see how quickly exploitation spreads across the internet relative to the speed…
The rise of mass outsourcing of systems and services to third parties is perhaps the largest risk landscape shift in the last 20 years. Protecting assets not only requires watching one’s own house, but also watching the house of every third-party. This 2020 report analyzes the state of Third-Party Risk Management (TPRM) programs to identify…
Risk management is the foundation of the financial industry, yet the digital era presents novel challenges that cross traditional perimeters. This study benchmarks digital risk factors specifically for financial services, comparing them to other sectors like healthcare and energy. We delve into five key dimensions—hosts, providers, geography, asset value, and findings—to determine if the industry…
“Every company is a software company,” and the challenges of secure development have never been more pervasive. For the 11th edition of SOSS, we analyzed the full history of 130,000 active applications to understand the untold stories of remediation. This report introduces the concept of “nature vs. nurture,” distinguishing between the factors developers inherit (app…
The healthcare sector is facing a severe prognosis in the digital era, with 861 reported breaches of protected health information in just the last 24 months. This report benchmarks the digital risk factors facing healthcare institutions to diagnose the underlying causes of this vulnerability. While the “prototypical” healthcare firm maintains a smaller internet footprint with…
Manufacturing organizations face a distinct remediation landscape often defined by harder-to-manage, non-Windows systems. This document offers a snapshot of remediation performance for the sector, leveraging data from over 40 manufacturing firms. While the sector appears to be lagging in raw speed, a deeper look at the data reveals that Manufacturing maintains a respectable level of…
The underpinnings of digital transformation—data storage, remote access, and network administration—form the essential fabric of modern IT, yet they also offer the most direct pathways for opportunistic attackers. When these services are exposed indiscriminately to the public internet, they provide a “not-so-secret” entrance for threats that require zero sophistication to exploit. This report investigates the…
Communicating securely on the web is a fundamental competency, yet it remains an elusive goal for a significant portion of the enterprise landscape. While individual host data suggests that only 2.2% of HTTPS systems fail to support TLS 1.2, this metric masks a deeper organizational struggle. When viewed through the lens of firms rather than…