Organizations are overconfident in their ability to manage subsidiary risk, and they continue to experience attacks involving subsidiaries. This research examines how well large companies manage risk from subsidiaries, what difficulties and constraints they encounter, and the ramifications of these. The study, commissioned by CyCognito and conducted by Osterman Research, surveyed enterprises with over $1 billion in annual revenue and an average of more than 19 subsidiaries.
The research shows a perplexing disparity between what large organizations want to believe and the actual state of affairs when it comes to managing subsidiary risk. The majority of organizations reported they were doing a good job managing subsidiary risk, yet 67% of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary or that they lacked the ability or information to rule out that possibility. Even more telling, 50% of respondents reported they would not be surprised if a cyber-breach was to occur “tomorrow” at one of their subsidiaries.
Current tools and processes for managing subsidiary risk present multiple shortfalls, including a focus on compliance at the expense of security, complex onboarding processes, infrequent and lengthy risk management processes that leave too many blind spots, an excess of manual tools, and a lag between results and remediation.
The key takeaways of this research are:
- Most have experienced a cyberattack that included a subsidiary
67% of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary or that they lacked the ability or information to rule out that possibility. Only 33% of respondents have not experienced a cyberattack that included a subsidiary. See Figure 1.
- Assessing subsidiary risk is a high priority
Respondents treat subsidiary risk as a priority: 85% regard assessing subsidiary risk as a top 10 priority relative to other security and risk initiatives. Overall, 47% regard subsidiary risks as a top 5 priority.
- Concerns about digital transformation and supply chain breaches reign
The macro trends seen as having the greatest impact on risk in subsidiaries are pandemic-accelerated digital transformation and supply chain breaches.
- Half would not be surprised by a breach as a subsidiary tomorrow
50% of respondents would not be surprised if a cyber-breach occurred “tomorrow” at one of their subsidiaries. Cybersecurity managers had a higher expectation of breach than risk managers.
- Compliance, measurement, and prioritization the top drivers
The three most important outcomes expected for subsidiary risk management are meeting compliance mandates, measuring subsidiary risk, and prioritizing investment in security posture improvement.
- Point-in-time only, duration, and blind spots the top concerns
The three highest ranked concerns about existing subsidiary risk management practices: they provide only a point-in-time snapshot, the process takes too long, and they offer only limited test coverage, leaving too many blind spots.
- Desire for more actionable information, reduced false positives, and increased frequency
The three changes respondents would most like to make in their process are getting actionable information, reducing false positives, and increasing the process frequency.
Figure 1: Subsidiary Implicated in Cyber Attack Chain. Percentage of respondents.
- Huge variation between current and preferred remediation time
Two thirds of respondents report that time to remediate a detected subsidiary risk was a week or longer on average, and sometimes up to three months. For 71% of respondents, the preference is a day or less.
- Risk and vulnerabilities increase with more subsidiaries
Enterprises with more subsidiaries are 50% more likely to take longer than a month to remediate detected security gaps than those with fewer subsidiaries. Respondents at parent companies with 17 or more subsidiaries were almost twice as likely to say that a subsidiary has been implicated in a cyberattack chain more than once than at parent companies with 16 or fewer subsidiaries.
About this White Paper
Osterman Research conducted a primary market survey of 201 organizations with at least 10 subsidiaries, and at least 3,000 employees and/or $1 billion in annual revenue. The 201 respondents were in management roles for cybersecurity, compliance, or risk. All organizations had staff dedicated to monitoring subsidiary risk. The survey and this white paper were sponsored by CyCognito; see the end of this paper for information on CyCognito.
For the purposes of this research, “subsidiaries” means any entity owned by a parent company, regardless of whether they are called a business unit, brand, standalone company, etc.
Cyber Risk from Subsidiaries Presents a Major Threat to Organizations
Even the organizations most focused on subsidiary risk and that rank it as a top priority have not been able to prevent attacks involving subsidiaries. In this section, we explore the detailed survey results and what they mean.
Subsidiary Risk Management is a Priority
All respondents to this survey work in organizations that have staff dedicated to managing subsidiary risk—something not true of organizations in general. Respondents treat subsidiary risk as a priority: 47% regard assessing subsidiary risk as a top 5 priority relative to other security and risk initiatives, and 85% overall regard subsidiary risk as a top 10 priority.
Despite the current focus on managing security risk at subsidiaries, 50% of organizations would not be surprised if a cyber-breach happened “tomorrow.”
Figure 2. Priority of Assessing Cybersecurity Risk of Subsidiaries
Percentage of respondents
Not Surprised by Cyberattacks
Among these organizations with a high awareness and focus on subsidiary risk management, 67% of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary or that they lacked the ability or information to rule out that possibility. Also surprising was that, even among this vigilant group, 50% of respondents reported they would not be surprised if a cyber-breach was to occur “tomorrow” at one of their subsidiaries.
Figure 3. Expectations on Reaction to a Hypothetical Breach at a Subsidiary Percentage of respondents
Cyberattacks are Common
Only 33% of respondents have not experienced a cyberattack that included a subsidiary. Just under one third (31%) have experienced a cyberattack more than once where the attack surface or attack chain included one of its subsidiaries; 23% have experienced only one attack where the attack surface or chain included a subsidiary; and an alarming 12% of organizations said they were unsure if they experienced an attack involving a subsidiary because they lacked the visibility or information to know.
67% of organizations have experienced a cyberattack that included a subsidiary in the attack surface or attack chain.
Figure 4. Subsidiary Implicated in Cyberattack Attack
Chain Percentage of respondents
Macro Trends are Having an Impact
Macro trends and the business environment in which organizations operate affect operational realities. Recent events bring the importance of subsidiary risk management into sharper focus. The macro trends seen as having the greatest impact on risk in their subsidiaries were:
- The impact of pandemic-accelerated digital transformation (69% of respondents said this trend was “very impactful” or “most impactful”). The requirement to rapidly transform business operations to support remote fulfilment and a work-from-home workforce under the duress of an unprecedented health pandemic has taken a toll on cybersecurity readiness.
- The impact of supply chain breaches (56% of respondents). High-profile breaches over the past year—e.g., SolarWinds and Kaseya—have elevated the awareness of and concern about this type of threat.
Figure 5. Impact of Key Trends on Concerns About
Subsidiary Risk Percentage of respondents indicating “very impactful” and “most impactful”
Pandemic-accelerated digital transformation and supply-chain breaches
are the most impactful macro trends on managing subsidiary risk.
Factors That Hamper Subsidiary Risk Management
Several factors hamper the ability of organizations to manage subsidiary risk. In this section, we look at two significant factors.
A Focus on Compliance vs. Security
Compliance mandates and security imperatives have long gone together, but compliance is generally seen as a lower bar, and sometimes even a “checklist” or a “tick-the-box exercise” that must be met, as compared to a security-first approach. Yet compliance ranked first in the three most important outcomes expected for subsidiary risk management:
- Meeting compliance mandates.
- Measurement of subsidiary risk.
- Prioritization of investment in security posture improvement.
Since respondents ranked compliance as the most important outcome for managing subsidiary risk, it may be less surprising that so many have seen attacks involving subsidiaries and that they wouldn’t be surprised if they were breached through a subsidiary soon.
Organizations are more focused on the compliance aspects of monitoring subsidiary risk than the security aspects.
Figure 6. Importance of Outcomes Percentage of respondents indicating “very important” and “most important”
Low Process Maturity for Onboarding Subsidiaries
Digging deeper exposed multiple process gaps that organizations face—and need to close—when it comes to subsidiary risk management. For instance, only 5% of organizations have mature processes to allow seamless onboarding of a subsidiary to their existing risk monitoring processes. As with any process, the more complex it is, the greater the likelihood for errors. In cybersecurity, those errors usually translate into security gaps that organizations are unaware of and attackers can exploit. In the case of onboarding new subsidiaries, 77% of respondents reported there’s a lot of onboarding work to be done, with 39% reporting that the parent company is saddled with the work, and an additional 38% said it placed a burden on both the subsidiary and the parent.
Only 5% of respondents said that onboarding a new subsidiary into their risk management process is a seamless activity.
Figure 7. State of Onboarding Process for New Subsidiaries Percentage of respondents (sums to 99% due to rounding)
Once subsidiaries are onboarded to their risk monitoring processes, organizations indicated they were concerned about the infrequency and “point-in-time” nature of their processes (45%), how long it takes to perform them (41%), and limited coverage leaving too many blind spots (38%). The three things organizations want to change most about their existing subsidiary risk management process are getting more actionable information (42%), having fewer false positives (36%) and increasing the frequency of assessments (33%). More on these concerns and limitations below.
Visibility Gaps and Lack of Actionable Information
Respondents point to a desire for more security intelligence to help improve their subsidiary risk management processes. Given that these organizations have a focus on managing subsidiary risk, and they are primarily looking for compliance-oriented measurements, it is not surprising that they point to the need for information that is more complete, frequent, and actionable. In this section, we look at the top concerns and desired changes with current processes, along with the high cost of slower security processes.
Top Concerns with Existing Practices
Respondents rated the level of concern felt with eight aspects of their current subsidiary risk management process. The top three concerns are:
- Too infrequent or provides only a point-in-time snapshot of security posture (45% of respondents said they were “very concerned” or “most concerned” about this issue).
- It takes too long (41% of respondents).
- Limited test coverage/too many blind spots for the subsidiaries we test (38% of respondents).
Organizations are looking for more complete, frequent, and actionable subsidiary risk intelligence.
Figure 8. Concerns with Current Processes for Subsidiary Risk Management Percentage of respondents indicating “very concerned” and “most concerned”
Highly Rated Desired Changes
Respondents had a list of prioritized changes that they would like to make in their process for managing subsidiary risk. Out of the seven changes we asked about, the three highest rated changes were:
- Getting actionable information.
- Reducing false positives.
- Increasing frequency.
More actionable information, fewer false positives, and increased process frequency are the most preferred changes in how subsidiary risk management operates.
Figure 9. Importance of Factors to Change About Current Process for Monitoring Subsidiary Risk Percentage of respondents indicating “most” and “second-most important”
The Cost of Taking Too Long
Attackers are business-minded and motivated to find the greatest return on their attack “investment.” They seek the path of least resistance to find the portion of an enterprise’s attack surface that is least protected and least monitored, which would then allow them to get to valuable assets. What concerns respondents most about their current subsidiary risk management practices is the point-in-time nature of the data they get, with snapshot views quickly outdated. Further, existing processes don’t cover enough to begin with, leaving organizations at risk. Respondents also report that the quality of the data is a concern, with time-wasting false positives noted as one of the top three things they want to change.
Specifically, on taking too long, 54% report that it currently takes from 1 week to 3 months to measure the risk of all their subsidiaries. When asked how long they would prefer it to take, only 7.5% were willing to fall in that range. The vast majority—71%—said they want the results in a day or less. You can see this illustrated in Figure 10 where the blue bars indicate current practices, and the green bars (showing what’s desired) are effectively the blue bars shifted to the left, reflecting that organizations would prefer it take less time. Asked what is preventing them from achieving that more rapid cadence, a lack of time was reported as the biggest barrier (67%), implying that processes are likely highly manual in nature. That’s consistent with the next most significant barrier, limitations in their toolset (62%).
Figure 10. Time to Measure Subsidiary
Risk Percentage of Respondents
Time Lag Between Detection and Remediation
Beyond the time to measure the risk of subsidiaries, respondents also report a lag of time between detection of a security gap and remediation of said gap. More than half (53%) report that it takes at least a week or longer, with 20% of the overall taking a month or longer. This is a dangerous lag for an exposure that may well be the entry point for a ransomware gang.
Figure 11. Average Time to Remediate a Security Gap After Detection Percentage of respondents
Few organizations are using a single tool for managing subsidiary risk, creating processes with largely manual efforts which increases the likelihood of mistakes and decreases chances of eliminating subsidiary risk.
Multiple Tools, Manual Processes
Organizations are generally using multiple tools (91%) to manage subsidiary risk. Only 9% are using just one tool, which indicates that there is no single product, or product category for that matter, that organizations can rely on. The majority (53%) use 2-3 different tools, and 38% are using 4 or more tools. This reinforces the fact that processes are largely manual: working with 3-6 different IT and security tools typically involves manual data extraction, correlation and reporting, and ultimately increases the likelihood of mistakes and decreases the chances of achieving the required cadence or coverage to find and eliminate subsidiary risk.
Figure 12. Number of Tools Used Currently to Monitor Subsidiary Cybersecurity Risk Percentage of respondents
The Cost of Too Many Tools
Currently used tools are proving insufficient for delivering the desired process frequency for measuring and remediating subsidiary risk.
Current toolsets are not capable of providing the analysis any quicker, and staff lack the time to cover tool-based weaknesses through manual efforts.
Figure 13. Reasons for Not Achieving Desired Process Frequency Percentage of Respondents
Effectiveness of Tools
Of the tools organizations are using, attack surface management products are viewed as the most effective solutions. Seen as least effective are questionnaires, cybersecurity risk rating services, and OSINT and other point tools. Questionnaires are likely the oldest “technology” in use and prone to human error and other selfreporting errors. OSINT tools require a great deal of manual effort to operate and extract useful information, which limits their utility. Security rating services may discover subsidiaries and other supply chain partners but use passive measures to assess security, so are not good at producing actionable security insights.
Based on the collective wisdom from the responses summarized in Figures 12-14, it appears that existing tools and processes leave gaps across subsidiary risk coverage and cadence and that a more scalable, automated approach is required to meet the needs of organizations looking to effectively manage their subsidiary risk.
Attack surface management solutions are viewed as the most effective tool category for managing subsidiary risk.
Figure 14. Effectiveness of Various Tool Categories
Percentage of respondents
Organizations with More Subsidiaries
Of the companies surveyed in this report, the mean and median numbers of subsidiaries were 16 and 20, respectively. It was clear that the more subsidiaries an organization had, the more hurdles there were to staying on top of subsidiary risk. Only 5% of parent companies have a process maturity that allows seamless addition of subsidiaries when onboarding into their current subsidiary risk process (see Figure 7). Given the growing importance of monitoring subsidiary risk, most parent companies have a substantial process gap to close to reduce the cost and time required for the onboarding of future subsidiaries. Having policies, procedures, personnel, and tools that can scale is increasingly important.
In this research, organizations with subsidiaries have:
- More likelihood a subsidiary is part of an attack chain
The more subsidiaries, the greater the attack surface and the likelihood of compromise. Respondents at parent companies with 17 or more subsidiaries were almost twice as likely to say that a subsidiary has been implicated in a cyberattack chain more than once than at parent companies with 16 or fewer subsidiaries.
- Longer timeframes to measure risk
Parent companies with fewer subsidiaries are significantly less likely to take over a month to gain an updated view of all subsidiaries. For example, with 16 or fewer subsidiaries (n=101 respondents), 19% of respondents take one month or longer. With 17 or more subsidiaries (n=100 respondents), 36% of respondents take one month or longer.
- The more subsidiaries, the longer it takes to remediate vulnerabilities Organizations with more subsidiaries take longer to remediate security vulnerabilities than those with fewer subsidiaries. Parent companies with more than 17 subsidiaries are 50% more likely to take longer than a month to remediate a security vulnerability once it has been detected.
Organizations with more subsidiaries have a larger attack surface which elongates processes for measuring and remediating risks.
Figure 15. Current Time to Create Updated View of Subsidiary Risk: By Subsidiary Groupings Percentage of respondents
Figure 16. Current Time to Remediate Security Vulnerabilities: By Subsidiary Groupings Percentage of respondents
This study shows that the practice of managing subsidiary risk is substantially lacking for most large enterprises. The implications of low current process maturity and unaddressed, exposed security weaknesses will continue to escalate. In addition, many organizations fear an increased risk from subsidiaries because of pandemic-accelerated digital transformation along with supply-chain breaches, because subsidiaries expand the organization’s external attack surface. The ramifications of inferior risk management for subsidiaries are growing, meaning that organizations need to take urgent action to strengthen subsidiary risk management processes by embracing an elevated focus on security (vs. compliance) outcomes, introducing simpler and faster onboarding processes, driving more frequent and comprehensive visibility into vulnerable attack vectors, and shrinking the time gap between results and remediation.
No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, nor may it be resold or distributed by any entity other than Osterman Research, without prior written authorization of Osterman Research.
Osterman Research does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research makes no representation or warranty regarding the completeness or accuracy of the information contained in this document.
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.