Sponsored by Illusive Networks, Ponemon Institute surveyed 627 IT and IT security practitioners in the United States to understand how well organizations are addressing the cyber risks associated with attackers who may already be residing within the perimeter, including insiders that might act maliciously.
All participants in this research are involved in the evaluation, selection and/or implementation of IT security solutions and governance practices within their organizations.
This study starts with the premise that mitigating business impact once attackers are within the environment requires the ability to:
- Understand which cyberthreats pose the greatest risk and align the cybersecurity program accordingly;
- Proactively shape security controls and improve cyber hygiene based on an understanding of how attackers operate;
- Quickly detect attackers who are operating internally;
- Efficiently prioritize and act on incidents based on real-time awareness of how the organization could be impacted.
The data indicates that organizations have low confidence in their ability to prevent serious damage from post-breach attacks. When presented with a set of statements, only 36 percent of respondents express agreement or strong agreement that their security team is effective in detecting and investigating cybersecurity incidents before serious damage occurs.
It is welcome news, then, that security budgets are shifting in favor of allocating greater resources to threat detection and response.
For organizations to get to where they need to be is an uphill challenge. While more than half (56 percent) of respondents to this survey believe they have reduced attacker dwell time over the past year, over 44 percent say they have not (32 percent) or don’t know (12 percent). And not all attacks and incidents are equal. The survey also shows that only 28 percent of respondents agree or strongly agree that their security technologies are optimized to reduce top business risks. A recurring theme in this study is that the inability to see and act on what matters most to the organization hampers the effectiveness of multiple functions.
Part 2. Key Findings
In this section of the report we analyze the key findings of the research. The complete audited findings are presented in the Appendix of the report. We have organized the report according to the following topics:
- The risk alignment problem between IT security and the business
- Current capabilities to preempt, detect, and respond to post-breach attackers
- Takeaways: Toward better risk mitigation for post-breach or resident attacks
A. The risk alignment problem between IT security and the business
Comparing a few key data points makes it clear that the day-to-day functioning of IT security is not well-aligned to business needs.
Although 56 percent of respondents say business leaders consider cybersecurity a top business risk, only 29 percent of respondents say business leaders communicate their business risk management priorities to IT security leaders, and only 29 percent of respondents say their security leaders effectively align security with top business risks.
Over 70 percent of respondents say senior leaders do not clearly communicate business risk. Some, 71 percent of respondents say they are not informed about what senior managers consider their organizations’ business risk management priorities—important guidance if IT security is to prioritize what’s most important to the business.
Respondents also are not positive that their leadership understands how persistent and advanced threats can affect the enterprise and that IT security controls are not 100 percent effective (68 percent and 65 percent, respectively).
It makes sense, then, that 60 percent also indicate that leaders don’t understand that the risk of a successful cyberattack should be an ongoing concern.
Business leaders appear to be conflicted about the importance of a strong cybersecurity posture—or perhaps leaders don’t understand the importance of a business-aligned, proactive approach or their role in it. When respondents were asked to describe their executives’ views of the importance of the cybersecurity program, the top two responses seem contradictory.
On the one hand, respondents indicate that executives think a cyberattack could pose a strategic or existential threat to their organization (40 percent of respondents), yet given how important cyber risk seems to be, a reactive approach seems fairly prevalent; almost half (49 percent of respondents) say their organizations’ executives think cybersecurity should be addressed on an as-needed basis when problems arise.
The business/security collaboration gap is reflected in many ways. Whether fault for the disconnect lies on the side of IT security leaders, senior executives, or both, Only 35 percent of respondents say their IT security leaders are proactively included in planning and decision-making for new technology and business initiatives, and only 29 percent of respondents say IT security leaders effectively align security investments, processes, and controls with top business risks. Other steps not taken are having well-defined criteria for determining when to involve business leaders in responding to a cybersecurity incident or issue (only 30 percent of respondents agree), as well as educating business leaders on cyber risks that may impact their organization (only 38 percent of respondents agree).
Only about half (51 percent of respondents) say their organizations’ executives and senior management respect IT security leaders. As a possible consequence, only 37 percent of respondents say the security team has the support it needs from business teams to design and execute business-oriented threat detection and incident response capabilities.
Respondents say that protecting high-volume private data is not the top concern. Respondents were asked to identify the cyberattacks that pose the greatest risk to their business. Given the lack of communication about business risk, these views may not reflect the views of business leaders, but it is notable that although large breaches of PII, EHI, payment and employee data tend to hog the headlines, these are not respondents’ top concerns. The data indicate that the threat of intellectual property or other strategic information theft—theirs or their clients—and various forms of disruption are significantly higher on the risk scale.
Also, 60 percent of respondents say the worst consequence of a cyberattack would be the tampering with or compromise to the integrity of their products or services followed by the disruption of their core business network (58 percent of respondents). Threats to executive safety and privacy are also high on the list.
Business leaders lack understanding of the threats. Leaders cannot communicate effectively with IT security leaders or set cyber risk management priorities without a foundational understanding of the threat actors an organization needs to contend with, yet 68 percent of respondents say their executives and senior management do not have a good understanding of how threat actors work and the harm they can cause. Among technical functions, where granular threat understanding is necessary for strong detection and response, organizations fare better, but could be stronger.
Basic asset and access governance are only half-way there. A risk-focused approach also requires a strong picture of where the important IT assets are and who has access to them. Some 54 percent of respondents agree or strongly agree that their security team has up-to-date knowledge of which data, systems and infrastructure components support critical business processes, yet when asked a series of more detailed questions pertaining to asset awareness and change management, respondents rate themselves considerably lower. The ability to keep pace with rapidly changing users, user functions, and IT infrastructure continues to be a challenge.