A New Global Survey to Start Cybersecurity Conversations
Websense recently worked with the Ponemon Institute to uncover the attitudes and opinions of security professionals worldwide—specifically regarding the current state of enterprise security. As a security researcher, I wanted to provide my interpretation of these results and highlight how other security professionals can use these findings to start productive conversations with their leadership.
The responses to the Ponemon Institute’s inquiry paint an interesting picture. Security professionals overwhelmingly believe:
• Their companies are not prepared for today’s security threats
• Current security technology provides little or no insight on data loss and cybercriminal activity
• Executives do not believe that data breaches will lead to loss of revenue
Deficient Security Tools
It’s clear that respondents felt their current security tools are deficient in their capabilities, lack reporting, or are oversold and over-marketed. For example, 63 percent of respondents doubt they can stop the exfiltration of confidential information. Sixty-nine percent believe cybersecurity threats sometimes fall through the cracks of their companies’ existing security systems. As a result, it’s important to note that the remaining 37 and 31 percent may have a false sense of security that they can or are preventing all manner of threats.
All of these statistics reflect a stark reality – there is no 100 percent silver bullet solution in any category of security tools. However, the very fact that a large percentage of the respondents (69 percent) believe that their existing security systems are missing some of the attacks means that the false sense of security is decreasing. More organizations are realizing that one or two point solutions just aren’t going to cut it.
Limited Cybercriminal Activity Visibility, Disconnected Perceived Value of Data
Fifty-nine percent of respondents indicated they do not have adequate intelligence or are unsure about attempted attacks and their impact. I do not think this reflects negatively on the practitioner’s professional acumen. Instead, I would say this is a positive. Security pros want more capabilities, more actionable intelligence and more intelligence sharing.
This desire for more information serves a number of purposes. We want to be more effective in our job and we want to help educate our leaders. It is critical that our executive teams understand how a lack of strong security can have a significant impact on the business.
Eighty percent of respondents said their company's leaders do not equate losing confidential data with a potential loss of revenue. I was surprised at the apparent disconnect. I’ve had the benefit in my career of having business leaders that understood the value of confidential data and how a breach could impact market cap, brand perception and revenue. I hope that more information sharing will ensure our business leaders understand the tie between security and revenue.
Ultimately, I think the information provided in this report should serve as a source for quantitative data points that can be used to have open and candid discussions about security effectiveness, risk metrics and data valuation. If organizations aren’t having the dialogue between IT security pros and the company’s top leadership, they should make the time to have that conversation. There’s a very good chance that it will reduce any ambiguity in expectations around security effectiveness and organizational roles and responsibilities.
Click here to download the “Exposing the Cybersecurity Cracks: A Global Perspective" survey. Below is also an infographic detailing these results (pdf available here).