Panaseer has released the third edition of its Security Leaders Peer Report looking at the concerns and constraints currently faced by CISOs and other senior cyber security leaders across the US and UK.
The survey of over 800 respondents from large organizations conducted by Censuswide found that almost 9 in 10 security leaders see the failure of controls expected to be in place as the primary reason for data breaches, and 79 percent of enterprises have experienced cyber incidents that should have been prevented with existing safeguards. As a result, most breaches are preventable but are still occurring – and security leaders are becoming increasingly frustrated.
For the first time, the 2023 report examines how security professionals are personally impacted by the high-pressure environment they work in. Many revealed that a lack of visibility and understanding of their security posture is the leading cause of their frustrations – specifically, the inability to continuously measure enterprise-wide security posture and identify control failures (ranked as number one, with 70 percent frustrated). Incidents that should have been stopped by an expected control followed closely, with 68 percent exasperated by this inability to stop preventable breaches. Respondents also pointed to issues with data and tooling as a bigger driver for security team resignations than demands for higher salary and greater seniority.
Each year, the report also looks at how much time security teams dedicate to manually collecting and reporting on security data. This year, Panaseer found that teams spend 59 percent of their time on these tasks – a 9 percent increase on the previous year's research, and a 64 percent rise from the first survey in 2019. In fact, 70 percent of security teams now spend more than half of their time on manual reporting, leaving less time for threat detection and vulnerability patching.
As explained by Andreas Wuchner, Field CISO at Panaseer, "To effectively reduce the significant amount of time spent manually reporting, CISOs and their teams need to be looking to automation. As well as freeing up qualified security professionals to dedicate time to higher value tasks – from threat detection to business continuity planning – automation provides the road to accurate, trustworthy data. We need to prioritise the maturation of automation, metrics and risk management in order to help teams cope with heavy reporting workloads."
In overcoming the issue of preventable breaches and frustrated security teams, only 44 percent of organizations are extremely confident in their ability to continuously measure their control gaps. Respondents have pointed to a lack of internal resources (39 percent), inability to evidence remediation (38 percent), ineffective tooling (34 percent) and poor control failure visibility (34 percent) as the reasons behind this lack of confidence.
However, 82 percent agree that monitoring and addressing expected controls failure and risk would likely have a bigger impact on their security posture than buying additional tools. This is particularly pertinent given the issue of tool sprawl – the two previous reports have found that it's not uncommon for organizations to use more than 75 or even 100 security tools.
Fortunately, awareness of how these control failures can be addressed is growing. 88 percent of security leaders stated they are likely to implement a continuous controls monitoring (CCM) platform in the next two years, a solution critical to measuring and advising on security control effectiveness. That compares to 79 percent who said the same in 2022.
Other key findings from the report point towards a lack of confidence in what to measure to improve security posture. These include:
- Nearly all (99 percent) security leaders are actively engaged in trying to benchmark their security metrics, policies and standards, but almost three-quarters (72 percent) admit they are not absolutely satisfied with their ability to do so currently.
- Less than half of respondents are highly confident they are continuously evaluating best practice security metrics specifically aligned to their organizational size and industry.
- Of the remainder, 47 percent simply don't know the right metrics to monitor and 51 percent don't have the resources to help them do it