Security Experts:

Experts Hopeful as Confidence in Risk Assessment Falls

The 2017 Global Cybersecurity Assurance Report Card shows a six point fall from last year's rating -- down from 76% to 70% (marked as C-). Although organizations' confidence in mitigating threats is constant at 79% (C+), confidence in the ability to assess risks has tumbled 12 points from 73% to 61% (D-).

The annual Report Card (PDF) is compiled by CyberEdge for Tenable Network Security (which raised a massive $250 million in Series B funding last year). This year 700 respondents from organizations with more than 1,000 employees in seven key verticals took part. The purpose is to measure security professionals' confidence in protecting networks rather than to attempt a measure of actual security.

The results show marked differences in professionals' confidence levels not only between different verticals, but also between geographic regions. For example, the highest confidence in security assurance is found in retail, finserve and manufacturing; all rating themselves at B. The lowest confidence in risk assessment is in finserve, manufacturing and government; all rating themselves at F. Overall, retail scores highest at C; with healthcare, education and government lowest at D.

Geographically, India is the most self-confident region giving itself an overall rating of B. Japan is the least self-confident with an overall rating of F. Between these, the US scores C+; Canada and France score C; Australia C-; UK and Singapore D; and Germany D-. It is tempting to draw a parallel with national political/economic confidence levels, with India thriving and Japan still in the doldrums. Even Germany, usually a thriving self-confident nation has current issues with mass immigration and public concern over 'funding' the weaker EU nations.

However, the most consistent feature in this year's Report Card is the general decline in risk assessment levels. Professionals across all verticals and all regions have less confidence in their organizations' ability to assess risk, than in their ability to mitigate threats once they are discovered.

Tenable believes this is at least partly due to a lag between the emergence of new technologies and confidence in being able to assess the risk of those new technologies.

"Today's network is constantly changing -- mobile devices, cloud, IoT, web apps, containers, virtual machines - and the data indicate that a lot of organizations lack the visibility they need to feel confident in their security posture," said Cris Thomas, strategist at Tenable Network Security. 

The three challenges that most concern professionals are the 'overwhelming cyber threat environment', 'low security awareness among employees', and a 'lack of network visibility (BYOD, Shadow IT)'. The first reflects the sheer volume of high profile network breaches that are reported almost daily. The second, however, indicates an admission that neither security training in schools nor awareness training in situ are adequately successful. The third has become a perennial problem for security teams over the last few years: the loss of a defensible perimeter caused by increasing use of personal devices and unauthorized adoption of personal cloud services, coupled with the difficulty in actually tracking what is happening.

All of these, coupled with new practices and technologies like DevOps and the use of cloud containers such as Docker contribute to the concern over the ability to adequately assess network risks. 

Despite current concerns, however, security professionals remain optimistic over the future. Nearly two-thirds claim they are now somewhat or significantly more optimistic about their organization's ability to defend itself against cyber-attacks. Less than 10% reported that they are somewhat or significantly more pessimistic about the future. 

Nigel Hawthorn, EMEA marketing director for Skyhigh Networks, commented, "2016 has been a year full of cyber-security incidents, so I guess it should be no surprise that security practitioners feel that their ability to assess risks has worsened; but the figures about current capabilities are certainly sobering.  However, it is good to see that the forward-looking view is more optimistic -- I think that is recognition that security tools are improving and the options available have a wealth of innovative features."

He added, "I often hear one of the major difficulties is communicating risks to senior executives and the figures bear that out; an overall B- score shows the difficulties that IT security people face. As an industry, we need to improve our products to demonstrate the risks seen and mitigated in a way that senior management can digest."

"It's pretty clear that newer technologies like DevOps and containers contributed to driving the overall score down," suggests Thomas; "but the real story isn't just one or two things that need improvement, it's that everything needs improvement."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.