On July 30, cybersecurity firm AttackIQ released a report, based on research by the Ponemon Institute, that evaluated the efficacy of enterprise security strategies. The report, titled “The Cybersecurity Illusion: The Emperor Has No Clothes,” stems from a Ponemon Institute survey of 577 information-technology and information-technology security practitioners in the United States “who are knowledgeable about their organization’s IT security strategy and tactics.” Fifty-eight percent of those respondents are at or above supervisory levels.
The report’s most prominent finding was that 53 percent of those surveyed admitted that “they don’t know how well the cybersecurity tools they’ve deployed are working. . . . While respondents are most confident in having visibility into the organization’s applications, endpoints and servers, only 35 percent of respondents say they have a high degree of confidence in visibility into their cloud and IoT devices.”
Other significant findings from the survey data included the following:
- Although companies are reportedly spending an average of $18.4 million annually on cybersecurity, data breaches still happen. Seventy percent of respondents attributed that fact to the skill of the attackers. Sixty-six percent attributed it to the complexity of computer security infrastructure (66 percent of respondents), “in part because the companies represented in this research have an average of 47 separate security solutions and technologies deployed in their organizations. Sixty-five percent of respondents attributed it to “the dynamically changing attack surface and lack of adequate security staff with the necessary skills.”
- Only 25 percent of respondents said that “the IT security team is able to respond to security incidents within one day,” primarily because of “a shortage of in-house expertise and the lack of timely response and engagement with other departments and functions.”
- Sixty-three percent of respondents noted that “they have observed a security control reporting it blocked an attack when it actually failed to do so.”
- Organizations have a mixed record of success in using penetrating testing to discover cybersecurity gaps. Even though 57 percent of respondents stated that their IT security teams conduct penetration testing. However, 31 percent of respondents stated that “they have no set schedule for penetration testing.” Similarly, 65 percent of respondents reported that “their penetration testing is very effective or effective in uncovering security gaps,” only 17 percent of respondents stated that “they confirm security gaps every time they are found through penetration testing.”
- Respondents indicated that most organizations represented in the survey “will increase their IT security budget in the next 12 months, and 58 percent of respondents said that their organizations would be increasing their IT security budgets by an average of 14 percent.
Note: Not only Chief Information Security Officers, but other C-level business executives should pay close attention to these findings. In particular, CISOs should have extended conversations with their information-security teams to see how their organizations’ cybersecurity programs are actually performing, and whether any of the shortcomings that the survey respondents identified are occurring in their own organizations.
While the Ponemon Institute survey asked respondents about their organizations’ expected IT security budget for the next 12 months, the percentage by which it would increase, the dollar range for the 2019 IT security budget, and the allocation of that budget, it did not ask whether they thought their organizations’ current and future cybersecurity budgets were adequate. For that reason, even if they believe that their current budgets are adequate, CISOs need to revisit that issue with their IT staff members and be prepared to seek additional funding from their organizations if those discussions identify critical deficiencies that must be addressed promptly.