Improving an organization’s security posture can be a daunting task. Conducted by Ponemon Institute and sponsored by ReliaQuest, the research reveals that security leaders are committed to being risk-oriented and strategic but lack the fundamentals needed to achieve this objective.
More than 1,000 security leaders were surveyed in the United States (632) and United Kingdom (391) who are familiar with the organizations’ security operations and strategy. Participants in this research are knowledgeable about their organizations’ efforts in attaining a risk-oriented security posture. Most respondents are involved in implementing solutions (61 percent) followed by evaluating solutions (48 percent). This report presents the consolidated US and UK research findings.
Senior leadership and the board of directors are ill-informed about security risks facing their organization. Only 37 percent of respondents say they are tracking the right security metrics to be able to communicate risks easily and accurately to the business executives and board. As a result, only 31 percent of respondents say senior leadership and the board are tracking cybersecurity risk as a business risk.
Respondents are committed to a stronger risk-based security posture. Priorities for respondents are the ability to migrate applications to the cloud securely, implement an integration strategy to drive holistic visibility across security tools and develop metrics to align security and lines of business with the organizations’ business goals.
The following findings reveal why organizations are at risk and indicate the opportunities for improvement.
Risk management programs are not properly assessed and measured. Fifty-eight percent of respondents say their organizations lack a risk management strategy and decision-making structure in their organizations. As a result, another 58 percent of respondents say the number one reason they are vulnerable to a data breach is because their organizations lack a well-defined security and risk management program. Only 29 percent of respondents say the risk management program is assessed by lines of business and aggregated and reported across the entire organization.
There is a lack of visibility throughout the enterprise. Fifty-eight percent of respondents say it is difficult to protect business-critical assets because of the lack of visibility and blind spots in coverage. Sixty percent of respondents say their organizations lack integrated visibility into cloud and on-premises solutions. This is considered a significant obstacle to having effective threat detection and investigation practices.
Security teams find it difficult to achieve efficiencies in the detection, investigation and response to security incidents because of the numerous tools and technologies used. According to the research, there are too few people who are responsible for too many tools and technologies used for threat detection. According to the research, 46 percent of respondents say one staff member could be responsible for between 4 and 10 tools. Eleven percent say one staff member could be responsible for more than 10 tools. As a result, it can take an average of 18 hours, or more than two days, to detect, investigate and respond to a security incident.
Metrics used are not able to reveal the risk and support a risk-based management program. Sixty-four percent of respondents say there is a lack of standardized metrics to measure progress in the risk management program. Only 36 percent of respondents say their organizations have visibility across the IT environment, including on-premises and cloud are measured.
Confidence in the security of the cloud is low. Less than one-third of respondents say they are confident in knowing all cloud computing applications, platforms or infrastructure services in use today. Sixty-two percent of respondents say coverage gaps and lack of visibility make it very difficult and complex to secure data and applications in a multi-cloud and hybrid environment.
Fifty-one percent of respondents say misconfigurations in cloud implementations make organizations vulnerable to a data breach. Only 19 percent of respondents say their organizations measure the lack of integration due to disparity of cloud environments.