Cybersecurity Investment: Spotlight on Vulnerability Management

Despite a 25% increase of the cost of major cyber incidents in 2022 compared to 2021, the new report on cybersecurity investment reveals a slight increase of 0,4% of IT budget dedicated to cybersecurity by EU operators in scope of the NIS Directive.

However, if organisations are inclined to allocate more budget to cybersecurity, 47% of the total of organisations surveyed do not plan to hire information security Full Time Equivalents (FTEs) in the next two years. Besides, 83% of these organisations claim recruitment difficulties in at least one information security domain. Such hiring issues surfacing in the report could be one of the factors when it comes to managing vulnerabilities.

Indeed, an analysis on patching of critical IT and OT assets in the transport sector shows that 51% of the organisations in the transport sector need one month to patch critical vulnerabilities and 21% need a time between 1 month and six months. Only 28% of the surveyed organisations fix critical vulnerabilities on critical assets in one week.

EU Agency for Cybersecurity, Executive Director, Juhan Lepassaar, said: “Allocating sufficient budgetary and human resources to cybersecurity is key to our success. Managing vulnerabilities is essential and must go hand-in-hand with "secure by design" initiatives. In the meantime, we do need to continually invest in areas such as identifying, managing and reporting vulnerabilities that can have an impact on the security of the whole Digital Single Market.”

Objective of the report on cybersecurity investment

The new report investigates how operators invest in cybersecurity and comply with the objectives of the NIS Directive. Collected from a total of 1,080 Operators of Essential Services (OES) and Digital Services Providers (DSP) from all 27 EU Member States, the data apply to reference year 2022.

Scope of the report

For the purpose of the analysis published today, the survey performed looked at OES and DSP as identified in the European Union's Directive on Network and Information Security Systems (NIS Directive). The objective of the report was to identify how organisation invest in cybersecurity in relation to the objective of meeting the requirements set by the initial NIS Directive.

However, the concept of investment also extends to the human element. 2023 is the European Year of Skills. This is why particular emphasis was placed on the topic of cybersecurity skills among OES and DSPs and to cybersecurity workforce hiring and gender balance.

The report therefore delves into IT security staffing and organisation of information security by OES and DSP with a special focus on the transport sector.

Key findings

• The part of IT budget OES/DSPs dedicated to cybersecurity reached 7,1% in 2022, representing an increase of 0,4% compared to 2021;
• 42% of OES/DSPs subscribed to a dedicated cyber insurance solution in 2022, representing a 30% increase from 2021. Still only 13% of SMEs subscribe to cyber insurance;
• OES/DSPs allocate 11,9% of their IT FTEs for information security (IS) a decrease of 0,1%
• OES/DSPs employ an average of 11% of women in IS FTEs. With median being at zero percent most of surveyed organisations do not employ any women as part of their IS FTEs;
• 47% of OES or DSPs do not plan to hire IS FTEs in the next two years,
• The organisations planning to hire information security FTEs in the next two years aim to hire 2 FTEs, with an average of 4 FTEs but 83% of the surveyed organisations claim recruitment difficulties in at least one information security domain.
• The NIS Directive is the main driver for cybersecurity investments for 55% of OES in the transport sector;
• 51% of the transport organisations manage OT security with the same unit or people as IT cybersecurity.

Vulnerability Management

Vulnerability management describes the process to identify and assess the associated risk of security vulnerabilities in order to resolve the cause before these can be exploited or intelligently reduce the risk of it by implementing adequate mitigation measures.

Managing vulnerabilities and ensuring patches are available protects the end-users and helps to ensure security is applied across the whole lifecycle of any product. The 2022 edition of the NIS Investments report found that for 46 % of organisations surveyed it takes more than 1 month to patch critical vulnerabilities.   Improving interoperability, automation and streamlined processes in order to exchange information can go a long way towards ensuring vulnerability disclosure. At the same time, vendors need to have the appropriate tools, processes and people in place to implement secure-by-design practices in order to reduce the risk for users, whereas organisations are responsible to reduce the time between the disclosure of vulnerabilities and their remediation by enabling tooling for automated vulnerability information sharing.

EU Vulnerability Coordination and Vulnerability Database

The NIS2 establishes a basic framework with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creates an EU vulnerability database for publicly known vulnerabilities in ICT products and ICT services, to be operated and maintained by the EU agency for cybersecurity (ENISA). The combination of national and EU efforts will form the basis for a mature vulnerability disclosure ecosystem within the EU. Importantly, these initiatives will contribute to an enhanced vulnerability management landscape.

The EU cybersecurity policy framework includes a number of proposed policy files. These include the Cyber Resilience Act (CRA) and the Cyber Solidarity Act (CSoA) which include provisions that propose to further improve vulnerability management in the EU, such as additional measures ensuring the quality of products and services that will contribute to the application of security aspects throughout the entire product lifecycle.

Background

The objective of the Directive on Security of Network and Information Systems (NIS Directive) is to achieve a high common level of cybersecurity across all Member States. The revised directive known as NIS2 came into force on 16 January 2023 extended the scope to new economic sectors.

One of the three pillars of the NIS Directive is the implementation of risk management and reporting obligations for OES and DSP.

OES provide essential services in strategic sectors of energy (electricity, oil and gas), transport (air, rail, water and road), banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure (Internet exchange points, domain name system service providers, top-level domain name registries).

DSP operate in an online environment, namely online marketplaces, online search engines and cloud computing services.

The report investigates how operators invest in cybersecurity and comply with the objectives of the NIS Directive. It also gives an overview of the situation in relation to such aspects as IT security staffing, cyber insurance and organisation of information security in OES and DSP.

Further Information

NIS Investments – ENISA report 2023

NIS Investments – ENISA report 2022

ENISA Topic - NIS Directive

Directive on measures for a high common level of cybersecurity across the Union (NIS2)

Contact

For press questions and interviews, please contact pressenisa [dot] europa [dot] eu (press (at) enisa.europa.eu)