Security executives are increasingly aware of the cyber threats that could undermine the security of their organizations. However, many of these same executives continue to lack confidence in their organization’s ability to actually protect against, or recover from, such threats, according to a recent survey commissioned by Raytheon|Websense.
This lack of confidence is not unfounded. The report, Why Executives Lack Security Posture Confidence While Knowing That The Metrics They Use To Gauge It Are Ineffective, which polled 100 security executives in March 2015, revealed that nearly nine in 10 organizations have had at least one breach that resulted in a loss or compromise of data in the past year.
Consequently, less than one third of the survey respondents have confidence in their organization’s security posture. Furthermore, only slightly over one quarter of survey respondents were confident that their communications and security posture were truly effective.
In 2015, Gartner, an IT research and advisory company, estimated organizations will spend almost $77 billion on security measures by the end of the year. Yet, the same executives who are making such a large investment to improve cybersecurity efforts are the same individuals who remain only “somewhat confident” in the ability of these efforts to pay off.
“We know threats are going to get in. If we want to be more confident, we need to shift our thinking to metrics such as dwell time, or reducing the time a threat is in our network, which reduces damage and helps strengthen our overall security posture,” said Raytheon|WebsensePresident Ed Hammersla.
Hammersla said, “With security spending continuing to skyrocket, it is more important than ever to be able to report on metrics that matter, not just quantitative metrics like counting breaches. When breaches are constant, and inevitable, we need a better way.”
Alarmingly, the survey revealed these executives continue to rely mainly on quantitative metrics aimed at preventing breaches, but do little once a breach has actually occurred. Organizations need to be tracking how long a threat, attacker or attack vector exists inside an organization, since reducing the time a malicious threat resides and acts from within the organization will greatly reduce potential damage.
“Think of it like this," the survey report said. "It is doubtful that anyone in the security operations at one of the high profile companies that suffered security incidents are touting the number of breaches as a significant metric. Even if they went down year-to-year, it only took one to inflict incalculable damage. Both companies had threats existing in their networks for many months before detection (e.g. significant dwell time). If the focus were more inward, they would have had a better chance at reducing or eliminating the threat.”
According to the report, research shows attackers spend an average of 229 days inside a network before discovery. Moreover, the cost of the average breach runs about $5.85 million in the US.
Consequently, the report recommended “Organizations should move with urgency to employ different detection, analysis, and ejection techniques so that they can get back to business.”
Additional key findings include:
- 28 percent of executives surveyed felt the security metrics they used were “completely effective;"
- 65 percent felt the metrics they used were only “somewhat effective;" and
- Only 33 percent use dwell time alongside other metrics such as cost of incidents (39 percent) and reduction in vulnerabilities (39 percent).
This is not the first survey to discover executives lack confidence in their ability to prevent security breaches. Homeland Security Today recently reported on another Raytheon|Websense survey which found IT security professionals feel data security is not a priority to the senior executives in their organizations.
In addition, a recent report by the Rand Corporation found chief information security officers (CISOs) believe cyber attackers are gaining the upper hand, despite increased cyber expenditures and focus on cybersecurity.
One CISO, painting a bleak picture of the current state of cybersecurity, said, “It will get worse before it gets better, and I do not know if things will get better.”