Data breaches have grown so frequent that at least some observers have begun to question whether cybersecurity staffs within corporate and government entities are up to the challenge of stopping them. “You just have to look at the continued ubiquity of breaches in the headlines to know that we’re losing the cyber battle right now,” says Julie Conroy, research director at Aite Group, a Boston-based consultancy.
Now there’s data to support the idea that the good guys are overwhelmed. Some 54% of chief information security officers and senior information-technology decision makers reported in a survey released last week that they lack the “tools and resources” they need to stop hackers. Moreover, in the event of a major incident, 55% admit they can’t act fast enough to cap the loss of data.
The responses came last summer in a canvass of 600 persons conducted by RedSeal Inc., a Sunnyvale, Calif.-based company that tests corporate networks’ ability to withstand attack. “The burgeoning threat volume and complexity is outpacing security teams’ capabilities,” the company said in a report summarizing the survey results.
Part of the reason for these dismal results, according to the report, is that security personnel are all too often caught unprepared. The average length of time since an organization has mapped its network, including pinpointing access points, is nine months. That means vulnerabilities not only exist, they may not even be known, RedSeal says. At the same time, organizations’ efforts to plug holes may be badly outdated, as fully one-quarter of respondents said they test their security strategies only once a year.
Still, security officers grossly overestimate their ability to detect a hack. The average reported time for detection in RedSeal’s survey is six hours, yet various studies have shown periods ranging from a minimum of 24 hours up to 99 days. “Companies are struggling and not fully informed,” RedSeal says in its report summary.
Also, many organizations find themselves struggling with regulatory compliance rather than focusing on security strategy, according to the survey. As a result, they lack any sort of “overarching strategy” for securing their networks. “This report underscores the urgency for the leaders of cyber strategy to pivot and aggressively pursue resilience, the ability to maintain business as usual while navigating an attack, as the new gold standard. Being prepared is the best defense,” said Ray Rothrock, chief executive and chairman of RedSeal, in a statement.
Experts like Conroy say they have encountered many of the report’s observations in their day-to-day work with clients. “This echoes a lot of the same challenges and concerns that I hear as I speak with firms in the payments arena,” she tells Digital Transactions News by email. “The environment is so complex and innovation is pushing things forward rapidly, so in many firms [information-security] teams are often in catchup mode.”
One big challenge, she points out, is that in many cases security officers may be struggling to sort out too much information, making it hard to separate actual warnings from the noise. “There are so many tools that put forth thousands of alerts that effect prioritization, and triage of these alerts can be very challenging,” she says.