A new study from Tenable Network Security investigating how IT security professionals assess and mitigate cyber-security risks showed much room for improvement.
The tally from security practitioners in six countries and seven industry verticals showed that global cyber-security readiness earned a "C" grade in indexes measuring risk and security assessments. Of the seven industries studied, government and education earned the lowest scores (D) and the financial services segment earned the highest (B-).
Respondents from more than 20 percent of organisations surveyed for the "2016 Global Cybersecurity Assurance Report Card" said they are not confident in their abilities to assess and mitigate cyber-security risks, with cloud applications (D+) and cloud infrastructure (D) cited as two of the three most challenging IT components for assessing cyber-security risks.
Mobile devices (D) was a particularly challenging area for assessing risk. A failure to even detect transient mobile devices in the first place was another big challenge (C).
Nearly 40 percent of those surveyed said they feel “about the same” or “more pessimistic” about the capabilities of their enterprise to defend against cyber-attacks compared to last year. An "overwhelming threat environment" was cited as their biggest challenge.
“What this tells me is that while security innovations solve specific new challenges, practitioners are struggling to effectively deploy an overarching security strategy without gaps between defenses,” said Ron Gula, CEO of Columbia, Md.-based Tenable Network Security.
It's no surprise that security pros feel overwhelmed by the increasingly complex threat environment, he said, as recent and unprecedented cyber-attacks have disrupted business for leading global companies, infiltrated governments and shaken confidence. "With so much at stake, organisations need to know whether their security programmes are effective or if they are falling short.”
The silver lining is that many of those surveyed believe they are equipped with the tools necessary to gauge overall security effectiveness (B-) and to communicate security risks to executives and board members. However, many were unsure whether their executives and board members comprehend security risks (C+) and are investing enough to mitigate them (C).
"There's a disconnect between the CISO and the boardroom that must be bridged before real progress can be made,” Gula said.
Tenable surveyed 504 IT security professionals employed by organisations with 1,000+ employees in August 2015.