Forrester study highlights ‘a false state of confidence’ when it comes to enterprise cyber security
- Published: Friday, 27 September 2019 08:15
Panaseer has released the results of a sponsored study conducted by Forrester Consulting which found that the key challenge facing security leaders is misplaced confidence that the abundance of technology investments they have made has strengthened their security posture.
The study surveyed over 250 senior security decision makers in North America and Europe. Participants included CISO, CIO, IT and security VPs from organizations ranging from 3,000 to over 25,000 employees.
Currently security leaders employ a variety of tools and technologies to identify risks and test the effectiveness of their security controls. As a result, security leaders are left with point-in-time assessments that require them to ‘cobble together’ data from disparate systems to truly understand the organization’s security posture. This approach is reactive, time-intensive, and insufficient in scale.
The study claims that the above has led to a disparity between appearance and reality, where security decision makers are being given a false state of confidence. 86 percent of respondents are confident or very confident that they have no gaps in their security controls deployed across devices, applications, people, and data. However, the complexity of today’s IT infrastructures and the heterogeneity of enterprise security tools make it difficult for security pros to protect their environments.
The study states: “Rightfully, companies are prioritizing their security and risk initiatives and investing in multiple technologies. Unfortunately, technology investments have provided a false sense of confidence in their security posture. Security leaders must understand that a proactive approach to cybersecurity requires the right tools, not more tools.”
97 percent of respondents reported experiencing challenges with their tools. When asked about the biggest challenges that they face with the security tools, the top responses include:
- Controlling coverage gaps across security functions (56 percent);
- Viewing a comprehensive list of assets across the organization (43 percent);
- Collecting, normalizing, aggregating, deduplicating, and correlating disparate data (39 percent);
- Tracking which assets and controls do not meet regulatory and compliance policies (39 percent);
- Determining the effectiveness of security controls (38 percent);
- Getting a real-time view of corporate risks (37 percent);
- Tracking performance of security controls over time (37 percent).
As threat levels increase, 64 percent of companies are making it a high or critical priority to implement a risk framework aligning cyber security risk and enterprise risk. However, the study identifies that one in five do not have a centralized approach for risk management.