SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Lack of visibility cited as number one roadblock to robust security, report finds
Fri, 17th Sep 2021
FYI, this story is more than a year old

Among the roadblocks to achieving a risk-oriented security posture are ineffective security metrics, operational inefficiencies and the lack of full visibility across their dynamic IT environment.

This is the key finding of ReliaQuest and Ponemon Research's latest report ‘Making Security Possible and Achieving a Risk-oriented Security Posture', that details the needs and priorities of cybersecurity leaders.

The report shows that organisations are prioritising strategic security programs but missing the foundational capabilities they need to make meaningful changes to their security posture.

The report finds that security leaders are committed to a stronger risk-based security posture with 57% of respondents prioritising securely migrating applications to the cloud.

Furthermore, almost half (49%) of security leaders are enabling DevSecOps best practices and 48% of organisations surveyed are prioritising implementing zero trust principles as part of their security strategy.

However, overall the report finds that security teams are not aligned on their security program or metrics.

The primary obstacle to implementing an IT security risk management program is a lack of standardised metrics to measure progress (64%), followed by the lack of a risk management strategy and decision-making structure (58%).

More than half (58%) of respondents say that the lack of a well-defined security and risk management program is what makes their organisation most vulnerable to attacks, but only 31% consider developing a risk-reduction program a top security priority.

In addition, only a third (37%) of those surveyed believe that their teams are tracking the right security metrics and that it is easy to communicate them to business executives and board members, and only about half (49%) rate developing business goal-oriented metrics as one of the top priorities for the next year.

The report also highlighted that security teams are inhibited by process and operational inefficiencies.

Of those surveyed, 31% of respondents say their security staff spends at least three hours a day manually administering and managing (optimisation, writing rules, integrating) tools.

The majority (57%) of organisations have one staff member managing more than four tools in their organisations, and only 17% have one staff member assigned to manage a single tool.

Overall, 52% agree that their team is spending too much time on data collection activities instead of threat detection and analysis.

The report also identified poor enterprise-wise visibility as the main culprit behind risk exposure.

Only 13% said they have more than 75% visibility across all security tools, including on-premises and the cloud, and 69% believe they have less than 50% visibility across all security tools, including on-premises and the cloud.

More than half (56%) believe they could achieve better threat detection and response efficiency with better visibility by integrating and providing a singular view across tools, and 60% state their top challenge in implementing effective threat detection is a lack of integrated visibility into cloud and on-premises sources.

Finally, only about one-third (36%) say they are measuring visibility across the environment, including on-premises and the cloud.

ReliaQuest vice president of product and solutions marketing, Ashok Sankar, says, “This research offers insights into the priorities of security leaders, the day-to-day struggles they face and their ambition to support the business through change.

“While it's positive to see more leaders engaging in strategic approaches to securing their organisation, as they look to implement programs like zero trust - which can be a multi-year journey - it's important to keep their energy focused on the fundamentals of cybersecurity.

"Visibility, metrics and process aren't sexy, but they are the building blocks of a resilient security program.

Sankar adds, “As organisations seek to digitally transform their business and adapt to hybrid work, it's critical that security teams are not only aligned on goals, but also have the proper resources to drive resilient security operations, setting the enterprise up for long-term success.