53% of enterprises have no idea if their security tools are working
The majority of organizations don’t know if the security tools they deploy are working, and are not confident they can avoid data breaches, according to AttackIQ.
AttackIQ released the report based on Ponemon Institute research evaluating the efficacy of enterprise security strategies. Ponemon surveyed 577 IT and IT security practitioners in the United States who are knowledgeable about their organization’s IT security strategy, tactics and technology investments.
“The significant number of security experts who have observed a security control falsely reporting it blocked a cybersecurity attack is alarming,” said Larry Ponemon, founder and chairman of Ponemon Institute.
“When processes and solutions like this fail, many companies respond by throwing more money at the problem. Further security spending needs to be put on hold until enterprise IT and security leaders understand why their current investments are not able to detect and block all known adversary techniques, tactics and procedures.”
According to the findings, organizations are investing heavily in cybersecurity technologies, but their IT teams are unsure if these tools are working as expected in terms of truly protecting the network. Key data points include:
- Companies surveyed are spending an average of $18.4 million annually on cybersecurity
- 58 percent of companies will be increasing their IT security budget by an average of 14 percent in the next year
- 53 percent of IT experts admit they don’t know how well the cybersecurity tools they’ve deployed are working
- 63 percent of respondents said they have observed a security control reporting it blocked an attack when it actually failed to do so
- Only 39 percent of respondents say they are getting full value from their security investments
Despite deploying many different cybersecurity solutions, companies are not confident their technology investments, staff and processes can reduce the chances of a data breach.
This lack of confidence stems largely from uncertainty in the efficacy of cybersecurity tools and the ability of staff to identify gaps in security and to respond to security incidents in a timely manner. Key data points include:
- Companies deploy on average 47 different cybersecurity solutions and technologies
- Less than half of IT experts are confident that data breaches can be stopped with their organization’s current investments in technology and staff
- 56 percent of respondents say a reason data breaches still occur is because of a lack of visibility into the operations of their security program
- Only 41 percent of respondents say their IT security team is effective in determining gaps in IT security infrastructure and closing those gaps
- 75 percent of respondents say their IT security team is unable to respond to security incidents within one day
IT experts believe penetration testing is effective in uncovering cybersecurity gaps, but many are not conducting penetration testing on a continuous basis. Key data points include:
- 57 percent of respondents say their IT security teams conduct penetration testing
- 65 percent of respondents say their penetration testing is very effective or effective in uncovering security gaps, but almost one-third have no set schedule for penetration testing and only 13 percent conduct penetration testing daily
- Only 48 percent of respondents say their organization leverages a continuous security validation (CSV) platform that allows them to determine how well security solutions are performing, but 68 percent of these respondents say their CSV platform is effective in finding security gaps
“Companies are spending far too much money on cybersecurity solutions without knowing if they are effective,” states Brett Galloway, CEO of AttackIQ.
“More than half of the experts surveyed admit they are in the dark about how well the technologies they have are working and if they’re truly effective, which is alarming considering companies are relying on these technologies to protect sensitive information including customer data.”