Ponemon Institute, with sponsorship from BMC, conducted the study on Separating the Truths from the Myths in Cybersecurity to better understand the security myths that can be barriers to a more effective IT security function and to determine the truths that should be considered important for the overall security posture. In the context of this survey, cybersecurity truths are based on the actual experience of participants in this research. In contrast, cybersecurity myths are based on their perceptions, beliefs and gut feel.
More than 1,300 IT and IT security professionals in North America (NA), United Kingdom (UK) and EMEA who have various roles in IT operations and security were surveyed. All respondents are knowledgeable about their organizations’ IT security strategies.
Separating the truths from the myths in cybersecurity
Following are statements about cybersecurity technologies, personnel and governance practices. Participants in this research were asked if these statements are considered truthful or if they are based solely on conjecture or gut feel (i.e. myth). Specifically, respondents rated each statement on a five-point scale from -2 = absolute myth, -1 = mostly myth, 0 = can’t be determined, +1 = mostly truth and + 2 = absolute truth. The number shown next to each statement represents the average index value compiled from all responses in this study. As can be seen, all myths and truths are not equal and range from -1.04 to +0.78.
Drawing upon nonparametric statistical methods, we separated those statements that had a statistically significant positive value that was above 0 (i.e. truth) from those statements that had a statistically significant negative value at or below 0 (i.e. myth).
Truth – The test statistic confirms the following statements are mostly believed to be a fact
- There is a skills gap in the IT security field. +0.78
- Security patches can cause greater risk of instability than the risk of a data breach +0.52
- The cloud is cost effective because it is easier and faster to deploy new software and applications than on-premises +0.52
- Greater visibility into al applications, data and devices and how they are connected lowers and organization’s security risk. +0.45
- Malicious or criminal attacks are the root cause of most data breaches. +0.42
- A strong security posture enables companies to innovate and take risks that can lead to greater profitability. +0.33
- IT security and IT operations work closely to make sure resolution and remediation of security problems are completed successfully. +0.22
- Many organizations are suffering from investments in disjointed, non-integrated security products that increase cost and complexity. +0.09
Myth – test statistic confirms the following statements are mostly a myth
- Too much security diminishes productivity. -1.04
- A strong security posture does not affect consumer trust. (In other words, a strong security posture is considered beneficial to improving consumers’ trust in the organization.) -0.87
- Automation is going to reduce the need for IT security expertise. -0.55
- Artificial intelligence and machine learning will reduce the need for IT security expertise. -0.50
- It is difficult or impossible to allocate the time and resources to patching vulnerabilities because it leads to costly business disruptions and downtime. -0.41
- Insider threats are costlier to detect and contain than external attacks. -0.27
- Nation state attacks are mainly a threat for government organizations. -0.24
- Security intelligence tools provide too much information to be effective in investigating threats. -0.21
Discussion — the state of cybersecurity
Senior management believes in the importance of the IT security function. Sixty-one percent of respondents say their senior management does not think IT security is strictly a tactical activity that reduces its importance in the eyes of senior management. Respondents concur that IT security in their organization is considered a strategic imperative.
Companies face a shortage of skilled and competent in-house staff. According to another Ponemon Institute study , 70 percent of chief information security officers and other IT security professionals surveyed say a lack of competent in-house staff is what they worry about most when trying to defend their companies against cyberattacks. Further, 65 percent of these respondents say the top reason they are likely to have a data breach is because they have inadequate in-house expertise.
Are tensions between the IT and IT security function diminishing the security of organizations? Fifty-six percent of respondents agree that there is tension between IT security and IT operations because of a lack of alignment of their different priorities. Specifically, IT operations is more concerned with the organization’s business objectives and IT security is focused on securing the enterprise from cybersecurity threats.
However, many respondents believe that despite this tension, IT security and IT operations work closely to make sure resolution and remediation of security problems are completed successfully. Collaboration between these two groups can be improved through the use of tools that bring these two functions closer together and foster teamwork which will benefit the organization as a whole.
Investments in security technologies should be aligned with the overall IT strategy and not lead to complexity. While the priorities of IT security and IT operations are often not in alignment, investments in technologies are consistent with their organizations’ overall IT strategy, according to 60 percent of respondents. However, respondents believe many organizations are suffering from investments in disjointed, non-integrated security products that increase cost and complexity.
Technology investments are often motivated by well-publicized data breaches. Fifty percent of respondents say data breaches that are widely reported in media can influence the decisions to purchase security technologies. While companies may purchase cyber insurance to manage the financial consequences of a data breach, only 34 percent of respondents say such a policy would reduce their investments in security technologies.