world, organisations are faced with an ever-growing cybersecurity challenge as
threats, assets and networks continue to evolve at an alarming rate.
Ransomware, new technologies like IoT, cloud and containers, and even
nation-state attacks are all causing increasing problems for IT security
professionals charged with keeping their infrastructures secure.
To provide fresh insight into how security professionals feel about the current threat landscape, Tenable released findings from its second-annual Global Cybersecurity Assurance Report Card, which measured the confidence levels of 700 IT security professionals across nine countries and seven industry verticals.
The survey measured two key criteria: Risk Assessment, which represents the organisation’s ability to evaluate cybersecurity risks across 11 key components of enterprise IT infrastructure, and Security Assurance, which represents the organisation’s ability to mitigate threats.
A global perspective
Data from this year’s report reflect a decline in global confidence levels, with the overall grade dropping six points from last year to 70 percent. The global Risk Assessment score dropped 12 percent from the previous year, to a near-failing grade of 61 percent, while Security Assurance remained unchanged at 79 percent.
For the second year in a row, respondents ranked the constantly evolving threat landscape as their biggest security challenge. The heightened technological complexity of today’s modern IT environments is expanding the attack surface and creating more opportunities for cyber criminals to exploit security gaps.
enterprise networks now composed of mobile, cloud, web apps, virtual machines,
IoT devices, BYOD and containers, the days of a well-defined network perimeter
that can be secured and defended are long over. Today’s network is dynamic and
boundaryless, with an infinite number of threats targeting an elastic attack
surface. The issue is not just one category of devices or apps and their
individual risk, it is the totality of these assets and how they expand the
corporate attack surface, creating new risk to an organisation.
Looking at the top-line results, cloud and mobile platforms rank among the biggest enterprise security weaknesses for organisations. Other areas of concern include the emergence of DevOps and the use of containers, which increases network complexity and causes a decentralisation of enterprise IT resources.
Australia was the only country surveyed to achieve a higher overall score in 2017 compared to the previous year, up two points to earn 71 percent. Although its Risk Assessment score dropped five points to 64 percent, its Security Assurance score rose to 78 percent, the most improved score of any country or industry.
Australian security professionals were confident in their ability to view network risks continuously, measure security effectiveness and convey risks to executives and board members. But they lacked assurance in their ability to assess risk in DevOps environments, physical servers in data centres and mobile devices.
The road ahead
Despite a decline in overall scores, the world’s security practitioners reported an increase in optimism. Sixty-five percent of global respondents said they felt either 'somewhat' or 'significantly' more optimistic about their organisation’s ability to defend itself than last year. Less than 10 percent were more pessimistic.
This result is encouraging, especially in light of the number of data breach headlines and existing concerns about the inability to properly secure rapidly evolving infrastructures. Moreover, what the increase in optimism says despite such a pronounced drop in cyber readiness is that the industry is ready for a change. IT professionals recognize that while it is impossible to have a 100-percent threat free network, there’s more they can be doing to protect their organisations, and with the right security tools and support from the C-suite, they are ready to do just that.
However, security pros still have a long road ahead of them. The top four security challenges identified in the 2017 report were the overwhelming threat environment, low security awareness among employees, a lack of network visibility and a shortage of qualified security workers. This clearly shows that, while optimism is widespread, there remains considerable work to be done.
Based on these results, there are three key steps that IT security professionals in all sectors should be doing to better understand their level of exposure and risk, and improve their overall security posture:
1. Continuous monitoring:
It's impossible to secure what you can’t see, so organisations should begin with a thorough and ongoing infrastructure and security audit. This not only means having continuous visibility into cloud, hybrid and on-premises environments, but organisations also have to stay ahead of security challenges that accompany new trends and technologies.
Continuous visibility equals rapid detection of threats and vulnerabilities, which is why active scanning (even if frequent) is no longer enough. Organisations need passive vulnerability scanning and log correlation to achieve true continuous and pervasive monitoring.
2. Communicating success:
With cyber attacks constantly in the news, security is now firmly in the spotlight of senior managers. It is vital for security teams to regularly update management on the progress that has been made and how this compares to others in the sector. Also, having the right metrics is crucial to convincing senior executives that cybersecurity should be taken as a high-level business concern.
3. Taking a balanced security approach:
As threats constantly evolve, it’s become clear that security solutions can no longer operate on their own. The days of buying and managing dozens of best-of-breed, layered security products from dozens of different vendors are over. Rather, organisations need a balanced approach to security investment with solutions that, even if from different vendors, form a security ecosystem where everything works together, seamlessly and intelligently.
The foundation of good cybersecurity is knowing what’s on your network at all times. If you can’t see all of your assets, you’re exposed. And if you’re exposed, the entire organisation is at risk. By adopting a modern approach to security that addresses today’s complexities, IT security professionals can be confident they are delivering the best possible protection for their organisation. While it’s true that threats will not disappear, their impact on business operations can be successfully mitigated by staying ahead of attackers and following these simple steps.