The 2023 State of Cyber Assets Report (SCAR) released on April 12 and has been the topic of several articles here on the blog as well as at recent conferences and virtual events. In this article, we’re going to look at some comparisons between this year’s SCAR and the inaugural report from 2022.
Before we get started, it’s important to consider the long-term goal we have for the SCAR and where we currently stand on that journey. Our intention is to deliver a report that helps inform companies’ strategies toward securing their cyber assets, a resource similar in scope to industry standards like Verizon’s Data Breach Investigations Report.
The State of Cyber Assets Report is an industry-leading benchmark established in 2022 by our world-class research team. As you’ll see in this article, that team expanded its efforts in 2023, bringing some new insights to the report that didn’t exist in 2022, while also refining its research methodology to improve the quality of those insights and data points.
Big research projects tend to take on a life of their own, and the greatest value comes from analyzing the data further in articles and conversations following the report. Comparing the results between the 2022 and 2023 report yields some interesting and valuable results, including the beginnings of some possible trends in the data.
So let’s dive in to look at how things have changed over the past year in a few key areas.
What’s different in the 2023 SCAR?
The most fundamental difference in the 2023 State of Cyber Assets Report was probably the selection criteria for organizations we analyzed data from and the methodology for analyzing those results. To understand that change better, I asked Jasmine Henry, the lead researcher for the report, to explain what was different from 2022.
“A lot has changed over the past year, inside the JupiterOne platform and amongst our customer base, that led to some changes in how we categorize our customers, how we view their data, and even how we price our product, which had an effect on the data,” Jasmine said. “As we’ve brought on more enterprise customers since the last SCAR, we had to adjust accordingly. Getting into too much detail risks potentially exposing sensitive information, but those are the main reasons the 2023 SCAR differs significantly from the inaugural report.”
The changes Jasmine referenced are important to consider when looking at the raw numbers featured in the report. For example, the 2023 SCAR found that the average security team is responsible for the following:
- 393,419 cyber assets and attributes
- 55,473 policies
- 830,639 findings
The increases over 2022 are staggering. Cyber assets and attributes increased by 137.5% (165,633 in 2022), policies increased by 564.7% (8,345 in 2022), and findings jumped by 589% (120,561 in 2022).
These increases can’t simply be attributed to asset growth, although every industry trend indicates that it’s one factor to be considered. Changes to the research methodology and company selection must be factored in, as should continued improvements JupiterOne has made to the platform. As we strive to bring unified cyber insights to our customers and build more integrations into the platform, the numbers likely will continue to increase over future SCAR reports.
Company size and industry categories bring context to report findings
Possibly the biggest change in the 2023 SCAR is the addition of company sizes to the analysis. In 2022, we focused on setting the foundation for future reports by delivering one layer of analysis. This meant that the data was ‘flat’ in some regards, without accounting for differences in company size, industry, or other contextual factors.
By breaking the numbers down into different industries and across small, medium, and large business sizes, we can start to extract more useful insights from the data. We’re continuing to delve into these insights and debate their implications.
For example, instead of a flat average number of cyber assets per employee for all companies in the report, we learned that large companies, on average, have the most (2,011 per employee), while surprisingly small companies (681 per employee) have more cyber assets than mid-sized companies (489 per employee).
The drop in number from small to mid-sized companies can be explained several ways, in theory. It’s possible that growing companies put more controls and policies in place that reduce the number of cyber assets in play. Or it could simply be a math problem - some small companies have as few as single digit employees but still work with technology that creates a significant number of cyber assets, skewing the averages.
The company size and industry numbers (we haven’t even mentioned industry breakdowns yet - that’s a topic for another article on its own, along with more details about company size comparisons) force us to ask questions we hadn’t even considered in the 2022 report, which will make SCAR 2024 and beyond even more fascinating to study.
Expanding the cyber asset visibility horizon
The 2023 SCAR is analogous to what we’re doing as a company - namely, expanding the breadth of visibility into your cyber assets to better secure and inform your business. Some other key additions to the report really stood out.
Understanding cloud service provider adoption
Cloud service provider (CSP) usage is a big part of today’s technology landscape and, as such, also the organization’s attack surface. In the 2023 SCAR, we found that 60% of the 89.7 million assets analyzed for the report originate from a CSP (a number I’d be willing to guess will grow in 2024).
We also found that 31% of the organizations studied are using three (3) CSPs simultaneously. It will be interesting to see if this number grows as well, or if organizations gravitate towards a preferred provider as their cloud posture matures.
Placing a value on cyber assets
The idea of putting an average monetary value on each cyber asset is an interesting exercise that, in its earliest iteration, offers a baseline for understanding the financial implications of cyber attacks and security shortcomings.
This value, $17,711, came from dividing the average number of cyber assets per organization by market capitalization, which was derived from publicly available records and market data. It’s difficult to simplify a complicated concept such as value down into one single calculation; the research team is already discussing how to evolve the calculation to provide a more nuanced understanding of cyber asset value in next year’s report.
Where does the data come from?
I think this is one of the more interesting additions to the 2023 SCAR. In the report, we found that the average security team correlates and uses data from 8.67 security data sources. Mid-sized companies bring this average up, correlating data from 10.11 sources.
This is classic in the cybersecurity industry. Anyone who’s worked in or seen a security operations center (SOC) can picture analysts looking at multiple monitors, bouncing between tools as they conduct their analysis or respond to incidents.
This is also why the phrase ‘single pane of glass’ has become something of a cliched Holy Grail in the security industry. Working across multiple tools and data sources is difficult and inefficient, and explains why security teams continue to struggle with overwork, backlogs, and burnout.
What’s ahead for SCAR
We aren’t done picking through the findings from SCAR 2023 yet. We have several more upcoming articles, featuring more discussion about topics like company size and industry, vulnerabilities, security findings, and more.
Additionally, if you have any questions or topics you’d like to see more information written about, we encourage you to reach out by email to research@jupiterone.com.