While cybersecurity is complex and multifaceted, security certifications (i.e., CISSP common body of knowledge 8 domains), regulations (i.e., HIPAA, PCI DSS, etc.), and best practices (i.e., CIS critical security controls) all recommend starting cybersecurity programs at the same place: security hygiene and posture management.\u00a0 Experts agree that strong cybersecurity starts with the basics, like knowing about all IT assets deployed, establishing secure configurations, monitoring \u201cdrift\u201d from these secure configurations, prioritizing remediation actions based on risk scores, and validating that everything is working as it should.As a simple analogy, think about maintaining your automobile.\u00a0 If you follow best practices like regularly changing your motor oil, keeping your tires inflated at the recommended levels, and following the maintenance guidelines in your owner\u2019s manual, your maintenance will be predictable, and your automobile will likely be reliable.Yup, security hygiene and posture management fits neatly into the \u201counce of prevention is worth a pound of cure\u201d category, so you\u2019d think that security professionals would institute military-like precision on how they configure and maintain IT assets.\u00a0 Alas, that assumption would be dead wrong.\u00a0Unfortunately, new ESG research reveals:Security hygiene and posture management remains immature. Seventy percent of organizations have more than ten security tools to manage security hygiene and posture management, leading to operational overhead, data inconsistencies, finger pointing, and human error. Even more telling, 73% of organizations admit that spreadsheets remain a key aspect of security hygiene and posture management.\u00a0 When you\u2019re trying to manage a highly dynamic area with spreadsheets, you\u2019re in trouble from the start.\u00a0The external attack surface is vulnerable and prone to exploitation. Attack surfaces are growing quickly because of three common factors: more IT connections to third parties, increasing device diversity, and greater use of public cloud infrastructure. The combination of a growing attack surface and poor management can be toxic: Nearly seven in ten (69%) organizations admit that they have experienced at least one cyberattack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset. When it comes to attack surface management, cyber-adversaries are playing chess while defenders play a sloppy game of checkers.Asset management depends upon tools, processes, and cross-departmental cooperation. When describing any type of security monitoring, vendors often paraphrase the famous quote, \u201cyou can\u2019t manage what you can\u2019t measure,\u201d attributed to management guru Peter Drucker. Regrettably, security asset measurement AND management remains haphazard at best.\u00a0 Organizations tend to use 10 or more asset inventory systems, devote nearly 90 person-hours to generate a single IT asset inventory, and conduct IT asset inventory audits every 2 months. Of course, this leads to numerous issues: 40% of security professionals say that conflicting data makes it difficult to get an accurate picture of assets, and 39% report that it is difficult to keep up with thousands of changing assets. Ol\u2019 Peter Drucker would be shaking his head at this performance.\u00a0\u00a0Vulnerability management programs are fraught with challenges. Not surprisingly, it\u2019s the same story with vulnerability management. When asked to identify vulnerability management challenges, 30% said keeping up with the volume of open vulnerabilities (tens of thousands of open vulnerabilities aren\u2019t unusual at a large organization), 29% said automating the process of vulnerability discovery, prioritization, and mitigation, and 29% said coordinating vulnerability management processes across different tools. Despite years of trying, many organizations simply haven\u2019t figured out how to cope with the scale of vulnerability management, so they continue to hack their way through.It\u2019s easy to spot a common problem here.\u00a0 Different domains of security hygiene and posture management like attack surface management, asset management, and vulnerability management have been managed somewhat independently in the past\u2014probably due to factors like skills specialization and technology usage.\u00a0 A convenient kludge in 2008, but totally inadequate today.While the research suggests a bleak security hygiene and posture management picture, there is some cause for optimism.\u00a0 In 2022, innovative security vendors will deliver security hygiene and posture management platforms that aggregate tools, analyze data, apply risk scores, and even suggest high priority risk mitigation actions.\u00a0 ESG calls this new category security observability, prioritization, and validation (SOPV) technology.\u00a0I\u2019ll be digging into more research details about security hygiene and posture management problems, some suggested solutions from survey respondents, and SOPV in future blogs.\u00a0 Stay tuned!