The roadblocks to preventive cybersecurity success

In the last two years, the average organization’s cybersecurity program was prepared to defend preventively, or block, just 57% of the cyberattacks it encountered, according to Tenable.

This means 43% of attacks launched against them are successful and must be remediated after the fact.

58% of respondents say they focus almost entirely on fighting successful attacks rather than working to prevent them in the first place. The study finds that this is largely due to an inability to reduce potential risks before attacks happen.

Cyber professionals cite that this reactive stance is largely due to their organizations’ struggle to obtain an accurate picture of their attack surface, including visibility into unknown assets, cloud resources, code weaknesses and user entitlement systems.

Managing preventive cybersecurity tools requires a skilled workforce

The complexity of infrastructure — with its reliance on multiple cloud systems, numerous identity and privilege management tools, and various web-facing assets — brings numerous opportunities for misconfigurations and overlooked assets.

Respondents were mainly concerned with the risks associated with cloud infrastructure, given the complexity it introduces in trying to correlate user and system identities, access and entitlement data.

75% view cloud infrastructure as their organization’s greatest exposure risk source. In order, the highest perceived risks come from the use of public cloud (30%), multi-cloud and/or hybrid cloud (23%), private cloud infrastructure (12%) and cloud container management tools (9%).

It takes considerable human resources to manage the many tools required to practice preventive cybersecurity — and to create meaningful risk reports from these disparate data sources.

While 75% of respondents say they consider user identity and access privileges when they prioritize vulnerabilities for remediation, 50% say their organization lacks an effective way of integrating such data into their preventive cybersecurity and exposure management practices.

57% say a lack of data hygiene prevents them from drawing quality data from user privilege and access management systems, as well as from vulnerability management systems. On average, it takes 15 hours a month to create reports for business leaders about the health of organizational security infrastructure.

Frequency of business-critical system meetings

In 53% of organizations, meetings about business-critical systems take place monthly, while 18% hold such meetings only once per year and 2% say they never hold such meetings.

This data comes at a critical point in time for publicly traded companies, following the recent introduction of SEC rules on cybersecurity risk management, strategy, governance and incident disclosure that take effect in December of this year. The new rules that mandate the disclosure of material cybersecurity incidents by public companies also stipulate that they outline their processes for assessing, identifying and managing material risks from cybersecurity threats.

It also requires them to highlight the oversight processes of boards of directors and executive management in assessing and managing cybersecurity risks. For organizations that do not have these best practices and processes in place, preventive security measures will become a requirement for operations.

“Preventive security is no longer an optional approach to risk management, but a prerequisite,” said Robert Huber, chief security officer and head of research, Tenable. “The scattershot firefighting by security organizations is a recipe for failure, especially with the expansion of the attack surface and exposure points caused by trends like cloud migration and AI.

“We’re speaking with more and more organizations about the importance of proactively understanding and reducing risk, and this research underscores that many of them know this intuitively, but are struggling with headwinds that are often beyond their control. We hope to foster more collaborative discussion between stakeholders to simplify their practices and get to the risk data they actually need for faster prioritization and remediation,” concluded Huber.