Last Updated on July 25, 2024
In a recent survey of over 400 SMB IT practitioners in the US defense industrial base (DIB), a surprising 67% rated their cybersecurity skill level as high or very high. Yet as the report also illustrates, the DIB is notorious for lax cybersecurity and many small defense suppliers are victims of costly data breaches.
Why the incongruity? And what does this disconnect potentially indicate about DIB cybersecurity and the upcoming need for Cybersecurity Maturity Model Certification (CMMC) Level 2 compliance for thousands of SMBs?
This article shares expert commentary that seeks to rationalize these survey results and explain their relevance to DIB SMB cybersecurity progress (or lack thereof).
Key statistics on DIB cybersecurity maturity
According to respondents to Radicl’s DIB Cybersecurity Maturity Report 2024:
- 61% report low to moderate effectiveness in threat investigation—a capability required for CMMC Level 2 certification.
- 54% report low to moderate effectiveness in threat hunting—also required for CMMC Level 2.
- 59% say they would take a week or more to detect a threat in their environment.
- 27% admit they would need a month or more to detect a threat.
- 59% had four or more user accounts or endpoints compromised in the past year.
- 46% report cyber incidents costing $100,000 or more, which easily exceeds the cost of achieving CMMC Level 2 compliance for most SMBs.
- 56% say they are still a year to two-plus years away from CMMC Level 2 compliance, despite the equivalent requirement for NIST 800-171 compliance being specified in US Department of Defense (DoD) contracts since December 2016.
But despite all these indications to the contrary, 67% of respondents rate their org’s security skill level as high or very high.
How can this be explained and why is it important to understand?
Hypothesis: DIB SMBs don’t know what good cybersecurity looks like
Chris Petersen, CEO at Radicl, has spent many years working with DIB SMBs. In his experience, many of these organizations don’t know what good cybersecurity even looks like.
“They’re not large enterprises that have been thinking about zero trust or defense in depth architecture,” Chris observes. “They don’t understand the product landscape and how to build a mature cybersecurity operation and resilient infrastructure. They still think in terms of endpoint security and network security. Multifactor authentication is a big step forward for them. They’re not thinking about a vulnerability management program or attack surface management or detection analytics and 24×7 incident response.”
With so many DIB SMBs needing up to a month or more to detect a threat in their environment, and/or experiencing compromised assets, it’s no wonder such a high percentage have endured costly incidents at the hands of embedded adversaries.
In short, DIB SMBs may be assessing their cybersecurity postures against a much lower benchmark than they should be. If they understood why more advanced capabilities are necessary to protect controlled unclassified information (CUI) and other sensitive data, they might not rate themselves as highly.
Other potential reasons why DIB SMBs over-rate their cybersecurity
Besides “we don’t know what we don’t know,” why else might DIB orgs might think their cybersecurity is better than it is? Chris has two ideas:
- IT professionals are reluctant to admit weakness in this key area.
- DIB SMBs, like other SMBs, might believe their MSP/MSSP is doing more for them than they actually are.
While #1 is mostly speculative, #2 makes sense if DIB SMBs are not educated on what constitutes effective cybersecurity. This would make it difficult to know how well their cybersecurity vendors are actually doing.
Plus, it is determined, nation state adversaries that are attacking the defense supply chain. Even large enterprises with hundreds of dedicated cybersecurity staff are routinely compromised by these hackers.
“This just speaks to how hard it is to do cybersecurity well,” says Chris. “And also the need to keep doing it better.”
“This is industrial espionage, and these companies have got to move beyond just core IT security,” Chris summarizes.
What’s next?
For more guidance on this topic, listen to Episode 140 of The Virtual CISO Podcast with guest Chris Petersen, CEO at Radicl.