Technology and Software: 2023 Insights From the Ponemon Institute

The technology and software industry is at the forefront of driving the global digital revolution. As the custodians of digital advancement, this sector plays a crucial role in shaping our interconnected world. However, along with innovation comes the responsibility of mitigating cyber risks, which are exceptionally high for the technology industry. The 2023 IBM Cost of a Data Breach Report ranks the technology industry as the sixth most expensive amongst 17 industry segments, with each incident resulting in an average loss of $4.66 million for impacted organizations.

In this blog, we share highlights of leading offensive security trends in the technology and software sector. Based on the Tech Ponemon Report, this analysis includes insights from 113 participants representing technology and software companies, making up 17% of the total sample.

The industry breakdown serves two purposes:

• To arm security leaders within technology and software companies with valuable insights into how their comrades and competitors are approaching offensive security
• To spotlight the critical components that must be integrated into security strategies to effectively defend against the ever-evolving spectrum of cybersecurity threats

Tool Adoption

Data from the Ponemon report indicates that technology and software companies tend to have a more advanced approach to security compared to other industries surveyed. This leads to distinctive differences in their use of offensive security tools. They place a stronger emphasis on breach and attack simulation tools (43% vs. 37%), as well as dynamic application security testing (38% vs. 35%). This stacks up similarly with the current trend of expanding attack coverage.

Additionally, the technology industry values vulnerability triage by employing vulnerability prioritization technologies more frequently than the cross-industry average (34% vs. 31%), while using vulnerability scanners slightly less (46% vs. 50%). This preference could be due to a more strategic and targeted approach to cybersecurity in technology and software organizations. Vulnerability scanners generally provide a broad overview of potential security exposures yet do not incorporate methods to analyze exposure severity and prioritize remediations. However, vulnerability prioritization technologies allow companies to focus on the most critical threats at hand, resulting in expeditious mitigation strategies for exposures with the highest business impact. This strategic approach reflects the agility and adaptability of the technology sector.

In this constantly evolving industry, organizations are continuously innovating and refining their cybersecurity strategies to stay ahead of emerging threats. This results in a more targeted approach to vulnerability management.

FIGURE 1 - What security tools does your organization use to discover exposures and/or facilitate offensive security testing?

Motivations Behind Offensive Security Testing

Technology and software companies exhibit differentiating patterns in offensive security testing compared to other sectors. While the fundamental types of testing remain consistent across industries, intriguing variations emerge in the driving factors behind these assessments.

The pursuit of adopting cutting-edge technologies stands out as a primary motivator, with 49% of respondents emphasizing its significance, surpassing the 44% average observed across all industries. This emphasis aligns with the industry's focus on deploying innovative technologies, resulting in an expanded attack surface as a more prominent factor (35%) compared to the cross-industry average (29%). Similarly, cloud migration, a common priority for security testing across all sectors (41%), takes on added importance for technology and software companies, registering at 45%.

Conversely, cyber insurance premiums play a less significant role in motivating offensive security testing within the technology sector, with a rate of 29% compared to the industry average of 33%. This suggests the technology sector's deep technical expertise and continuous innovation cycles contribute to heightened risk mitigation, reducing reliance on external insurance as a safety net.

Furthermore, the technology sector places less emphasis on executive oversight (17% vs. 21%) as a driver for offensive security testing, underscoring a strong internal trust in their own cybersecurity measures and expertise. This reduced reliance on external validation signifies the sector's strategic and proactive approach to cybersecurity, minimizing the need for external oversight to develop hardened security measures.

FIGURE 2 - Which of the following use cases has driven offensive security testing in your organization in the last 18 months?

Achieving Security Objectives

Prioritizing zero-day response capabilities is a primary objective in offensive security testing for technology and software companies, with a notable 47% emphasis, surpassing the cross-industry average of 42%. This heightened priority emphasizes the industry's swift integration of new technologies and the accompanying risks. Emerging technologies are notorious for hiding undiscovered vulnerabilities, making zero-day response strategies imperative for upholding security and resilience.

Secondly, validating defense controls and technologies holds significantly greater importance for technology firms at 44%, far outshining the cross-industry average of 32%. This emphasis aligns with the technology sector's culture of constant innovation, propensity to push boundaries, and the diverse array of technologies deployed, necessitating continuous validation and testing to ensure the efficacy of defense systems against a wide array of potential cyber threats.

In parallel with all industries, adherence to compliance and regulatory requirements remains a top priority, emphasizing the universal significance of legal and social accountability in preserving a secure digital ecosystem.

FIGURE 3 - Which of the following goals or objectives are you trying to achieve with offensive security testing?

Navigating Top Cyber Threats

Technology and software companies zero in on social engineering (44%), insider threats (41%), and ransomware (40%) as their top three cyber threats. This closely aligns with the overall industry average, where ransomware (41%), social engineering (40%), and cloud vulnerabilities (39%) dominate the top three threats.

However, a notable deviation emerges as technology and software companies express more concern about distributed denial-of-service (DDoS) attacks, surpassing the cross-sector average (39% vs. 33%). This can be attributed to the high number of DDoS attacks against the technology sector. Analysis from F5 revealed that DDoS attacks against the technology sector in 2022 comprised 35% of all DDoS attacks, making it the top targeted industry. This sector-specific targeting underscores the need for heightened vigilance and tailored defensive strategies in the face of evolving cyber threats.

FIGURE 4 - What types of cyber threats are driving your offensive security investments?

Conclusion

The Offensive Security Blueprint for Technology and Software analysis reveals that the technology and software industry is at the forefront of security practices with a strong commitment to offensive security. To maintain their leadership in security, technology and software companies must continue to adapt and innovate their offensive security strategies to address emerging threats. This is particularly important considering their ever-expanding attack surfaces and the global reach of their applications – often integrated within enterprise networks and systems. By staying ahead of the curve, these companies can protect their technologies, offer security-backed reassurances to third-party vendors and/or customers, and maintain their edge in the industry.

To learn how other industries utilize offensive security practices, download the Ponemon Institute's 2023 State of Offensive Security Report.