Building A Trustworthy Security Posture

Key takeaways include:

  • Just 34% of buyers look to industry bodies for guidance when choosing a solution
  • 70% of CISOs security leaders lack confidence in their overall security posture
  • 71% of organizations promote their cyber robustness to partners and customers
Building A Trustworthy Security Posture
Building A Trustworthy Security Posture

Content Summary

Will the defenses hold?
A matter of confidence
Security professionals have reservations about their organization’s security posture
Barriers
Mitigating the risks
Bouncing back from a breach
Security professionals left uncertain and in compromising positions
Sourcing advice
The impact of outsourcing
The future is promising
Defend with confidence
Methodology and executive analysis

Will the defenses hold?

On average, businesses last year experienced an astonishing 145 security breaches at the average cost of £13m per organization.1 Given the rapid increase in the volume and cost of cybercrime, it’s little wonder that businesses seem to be focusing on cybersecurity more than ever. As far back as 2016, a report by Lloyds found that more than half of organizations in Europe have placed responsibility for their cybersecurity posture on the shoulders of the CEO.2 Similarly, a survey by NYSE found that more than 80% of respondents discuss cybersecurity at most or all boardroom meetings.3

With statistics like that it’s tempting to think that the days when IT and their security teams had to fight to prove the value of cybersecurity are well and truly over. The challenges and costs of cybercrime are now out in the open, and it’s easy to assume that means all security teams are now well-funded, supported from above and able to carry out their work with complete confidence. But is this the case? How confident are security professionals that they have the resources, technology, talent and budgets required to meet the growing threat facing their organizations?

To help answer these and other key questions, we polled the views of 274 Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), Chief Technology Officers (CTOs) and other security professionals from private and public sector organizations in the UK and US. Our research reveals that:

  • Security professionals have serious reservations about their organization’s overall security posture
  • There’s a consensus that lack of investment by the business in skills and training is a real problem
  • Security professionals are uncertain and in compromising positions despite investing in an array of technology
  • Most respondents believe the future will be better, with their businesses placing more of a focus on cyber protection

70% of security professionals lack confidence in their overall security posture.

76% of respondents believe cyber security will increase as a business priority in the future.

A matter of confidence

Security professionals have reservations about their organization’s security posture

When it comes to the organization’s overall security posture, which includes the technology stack but also incorporates elements such as procedures, processes and human behaviors, the confidence of the security professionals we interviewed was far from strong. 70% expressed some sort of dissatisfaction, reporting that they are only ‘moderately’, ‘somewhat’ or ‘slightly’ confident in their overall security posture.

How confident are you in your organization’s overall security posture?

  • 30% Very confident
  • 38% Moderately confident
  • 21% Somewhat confident
  • 10% Slightly confident
  • 1% Not confident

Barriers

When it comes to protecting their organization, many security professionals find a range of barriers standing in their way. The biggest challenge to effective cybersecurity is the increasing sophistication of threats (49%) and as such, is largely out of the direct control of organizations (see more on this in the next section). However, many other key challenges are well within the powers of business leaders to help address. These include insufficient staff training (41%), lack of funding (34%), insufficient staffing (31%) and a lack of board support (29%).

Do any of the following challenge your organization’s cyber security efforts?
Do any of the following challenge your organization’s cybersecurity efforts?

Two of the most interesting barriers are insufficient staff training (40%) and insufficient staffing (31%); two elements of a cybersecurity skills gap that will stop organizations from putting in place an optimal security posture. The security skills gap has been discussed at length in the industry, and solving it is essential to building confidence in a security posture.

Other barriers differ from region to region, as might be expected. In the UK, for example, lack of funding (44%) was much more important than in the US (26%), perhaps reflecting different budget priorities between the two countries. Regardless of such differences however, our survey reveals some significant barriers that limit the tools available to security professionals to build a more resilient security posture.

To enhance the confidence of security professionals in their postures, some things need to take place. First, organizations must put in place the right technology so that threats aren’t seen as insurmountable. Second, the right investment must be made; both in terms of budgets and people.

Mitigating the risks

As mentioned above, the top threat to an effective cybersecurity posture is the increasing sophistication of cybercrime. What does this look like in reality? When looking at the sort of attacks that companies have weathered over the past year it’s notable that in addition to those perennials of cybercrime; phishing, viruses, and malware (44%), two common attack methods are both related to employees: staff receiving fraudulent emails (44%) and the unauthorized use of computers/networks/ servers by staff (34%).

Cyber awareness amongst employees still poses a very real threat to businesses, and our findings add real weight to the argument that when it comes to cybersecurity, employees should be the first line of defense against cybercrime. Instilling good cybersecurity habits in all staff, not just IT, is the best way for organizations to defend against evolving cyber threats.

It should also be noted that as companies look to understand the risks facing their organizations, a first step in building a security posture you can have confidence in, they must take stock of the threats most relevant to their industry. Our research shows certain threats are much more prevalent in some sectors than others.

For example, 49% of respondents from financial services businesses said their organization experienced a cyber-attack and/or breach within the past 12 months, with the top offenders being staff receiving fraudulent emails (52%) and the bottom being ransomware (30%). Meanwhile, 64% of respondents from legal companies said their organization experienced a cyber-attack and/ or breach within the past 12 months. For these respondents, ransomware and hacking (57%) were the top attack types.

Building sector-specific threat profiles that take into account the sort of information that will likely be targeted, along with the most common threat vectors, can help organizations put in place a robust and reliable response. For financial service firms, this would include analysis of external factors such as increasing regulatory oversight to test the resilience of IT systems and cyber defenses. Legal firms meanwhile, would likely consider the impact of GDPR given the large volume of sensitive personal and commercial data at their disposal. This would then need to be augmented with detailed threat intelligence.

Bouncing back from a breach

According to our research, uncertainty around successfully dealing with a repeat attack detrimentally affects the confidence of security professionals. Two-thirds of those hit by a breach in the previous 12 months (68%) weren’t very confident that their organization could defend against the same type of attack again. Interestingly, US respondents were significantly more confident of their ability to defend against an attack they have previously experienced compared to those from the UK: 40% vs. 22%.

However, given that the types of attacks are so vast, comprising diverse threats including malware, phishing, DNS hijacking and much more, and the fact that organizations suffering a breach are most often attacked more than once in a 12 month period, the inability of companies to bounce back from an attack is clearly a potential weak point for the future.

Enterprises, therefore, need to be sure they’re protecting against all types of attacks and that they take the right action when hit. That means doing more than simply defending against an attack in progress. Instead, companies must learn from past attacks and use this information to inform the future security posture. By viewing attacks as valuable lessons, and using these lessons to improve, organizations should be able to boost their confidence in their security approach and overcome some of the most intractable of security challenges. Even then, some key challenges remain in the way.

Security professionals left uncertain and in compromising positions

When asked whether they are confident that they have chosen the right or best security solution for their business, given that there are so many to choose from, our respondents were uncertain. While 31% reported being ‘very confident’ they have made the right choice, the majority were not so sure: 67% were just ‘moderately’, ‘somewhat’ or ‘slightly’ confident in their choice, while 2% weren’t confident at all.

Given the wide array of solutions available, how confident are you that your organization has chosen the right/best one?

  • 31% Very confident
  • 34% Moderately confident
  • 20% Somewhat confident
  • 13% Slightly confident
  • 2% Not confident

There was some difference here depending on what country the interviewee was from. Respondents from the US were much more likely to be confident in their choice than their peers in the UK: 37% vs. 22%. While cultural influences are no doubt a factor here, it is perhaps also down to the fact that respondents from the US are more likely to work at organizations of 5,000 + employees (35% vs. 28%), where there are typically tighter processes around procurement.

The confidence levels of security professionals were similarly mixed when it comes to the effectiveness of an organization’s security stack. Most scored their stack an 80% in terms of effectiveness, with less than a fifth (17%) feeling confident enough to rate it 100% effective.

These findings are important because, despite the relative lack of confidence in their security solution, 71% of security professionals questioned also say their organization touts its cyber robustness to partners and customers.

Sourcing advice

When looking to purchase a new security solution, the security professionals we spoke to are turning to outside experts for help. However, some are more trusted than others.

Across all sectors, industry bodies are the least trusted source of cyber security advice when choosing a security solution, with only 34% of buyers looking to them for guidance. This is at its lowest in the transport sector, with only 19% of buyers looking to them for advice. The most popular place for advice is vendors themselves (53%) followed by consultants (53%) and analysts in third place (52%). Only in the government sector is this different – with buyers seeking advice from industry bodies first (57%) and security vendors last (29%).

Where did/do you seek advice when choosing a security solution?
Where did/do you seek advice when choosing a security solution?

The impact of outsourcing

When we asked explicitly about outsourced services, we discovered that there is a good deal of confidence in the ability of outsourcers to help protect businesses. Around half (51%) of the people we spoke to said that they believe the risk level associated with outsourced cyber security is more or less equivalent to that for traditional IT environments. In this regard, the UK is significantly more likely to feel that the risk is ‘about the same’ (61%) than the US (44%); an interesting finding given that US companies are more likely to seek advice from outsourcers.

Once again, we see lower levels of confidence in sectors where the impact of a security breach is highest: respondents from government sector business, for example, believe that there is a higher risk to outsourced services (48%), while utility companies are almost as likely to say the risk is higher than to report it is roughly the same (40% vs. 44%).

This may relate to a lingering misperception that managing all security services in-house is by default the most secure option, as the IT team can maintain complete control of data and systems. The reality is that modern outsourced security services often offer the highest levels of security as the services are kept constantly up-to-date and leverage the expertise of a large and dedicated security team. The best-outsourced services can be deployed either through the cloud or as an in-house system so firms can maintain direct control/oversight if required.

The future is promising

If today’s security professionals are ambivalent about their security postures and feel hamstrung by a lack of funding and skilled talent, the future looks much brighter. The vast majority (76%) of respondents believe that cyber security is increasing as a priority within their organizations and many are already noticing a difference. When asked whether their confidence in their overall security posture has changed over the past year, 62% reported that it had improved, compared to just 28% who thought it had stayed the same and 10% who said it had decreased. That is a very positive sign.

Also of good news, is the fact that 80% of organizations are measuring the performance of their security stack. By doing so, these companies are giving themselves the data they need to identify where best to make new security investments.

Based on our survey, the areas that will receive the most investment over the next three years are cyber monitoring (16%), cyber resilience (14%) and cyber governance (12%), while areas such as strategy and program transformation (3%), stakeholder awareness (4%) and third-party, supply-chain management (6%) will receive less investment, perhaps because businesses already think they are doing enough. The picture emerging here is of security teams that understand what needs to change and have confidence that over the medium term their company will support them in making these changes.

In the next three years, in which area do you expect to see the most investment?

  • 3% Strategy and program transformation
  • 4% Stakeholder awareness and communications
  • 7% Cyber reporting
  • 8% Compliance/Regulations
  • 6% Third-party/Supply chain management
  • 11% Endpoint/Network security
  • 9% Application/Data protection
  • 14% Cyber resilience
  • 12% Cyber security governance
  • 16% Cyber monitoring
  • 9% Identity/Access management

However, it’s important to note that major issues, such as the skills gap, won’t be solved overnight. What’s more, many respondents still feel uneasy about what the future may have in store. For example, 46% said they are concerned that internal developments within the business may increase its vulnerability to cyber attacks.

Security professionals, therefore, need to focus on areas that can help them allay their fears over the ever-evolving threat landscape. This will include sophisticated networking detection and response technology – to catch threats early and mitigate their impact – combined with an effort to train staff and create a more resilient organization. Such technologies can help firms prepare for the unknown: both new threats and threats that target new vulnerabilities.

Defend with confidence

The evolution of digital technology within enterprises and public sector organizations has progressed at a blistering pace. Today, companies and agencies have more ways to engage with their customers and stakeholders, and new digital-first business models are opening revenue streams and helping to create interconnected ecosystems of partners. These ecosystems are linked by complex digital networks and huge volumes of data all centered on delivering breakthrough experiences to customers, employees and citizens.

But as the benefits of digitalization have increased, so too have the threats. In many cases security teams have been left scrambling as new generations of increasingly sophisticated cyber attacks have disrupted the operations of the largest of businesses. The prevailing attitude to emerge is not one of confidence: around half of the CEOs, for example, think that the likelihood of their organization becoming a victim of a cyber attack is a case of ‘when’, and not ‘if’.4

It’s therefore not surprising that as of 2019, many cyber security professionals in the UK and the US have mixed feelings about the state of their security posture. Confidence in the technology is there, but so too is a nagging doubt that they do not have the best on offer. Meanwhile, few businesses can claim to have complete confidence in their overall security posture.

However, the future offers much promise. Firms are prioritizing cyber security like never before, and security professionals are measuring their security performance and have plans to invest in the areas that will drive the most improvement in their organization. Confidence levels will likely increase in line with these changes.

The advance of cyber security tools will also help build confidence. Modern cyber monitoring tools that leverage sophisticated machine learning and AI systems can help firms identify and shut down attacks – both known viruses, malware, and phishing attacks as well as new and zero-day attacks. Such approaches give security professionals the confidence they need that attacks will be detected and stopped before they cause harm.

Security teams should always be watchful. There will always be new threats, and there will always be criminals looking to exploit vulnerabilities. However, security teams need not have sleepless nights over their security posture. By investing in employee training and reskilling, by identifying the right tools and prioritizing investment accordingly, and by seeking advice from a wide range of experts and service providers, security teams can rest assured that everything that can be done to secure the enterprise is being done.

Methodology and executive analysis

Nominet commissioned a survey of 274 Chief Information Security Officers (CISOs), Chief Technology Officers (CTOs), Chief Information Officers (CIOs) and other professionals with responsibility for overseeing the cyber security of their organization.

Respondents were sourced from large organizations (with 2,500 employees or more) within the UK (117) and the US (157), spanning a range of industries and sectors including automotive, critical national infrastructure (CNI), finance, government, healthcare, hospitality, legal, life sciences, retail, transport and utilities.

Source: Nominet Cyber Solutions