Gaps in Resources Continue to Plague Cybersecurity
Organizations large and small continue to struggle with cybersecurity, not because they don’t understand the threats but because they are challenged with effective vulnerability management and other gaps in resources.
Despite 2018 being dubbed the year of the phish, with a rise in formjacking and other new and emerging threats, enterprises across 15 sectors are slow to mature in their overall cybersecurity posture because of gaps in resources, according to a report recently published by the Ponemon Institute. The study reflected that only 1 in 3 organizations are confident they can avoid data breaches.
The report, “Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture,” commissioned by Balbix, found that 68 percent of the 613 IT and IT security leaders and professionals involved with vulnerability management feel that staffing is not adequate for a strong cybersecurity posture.
“The skills gap in cybersecurity is likely to be an ongoing problem with potentially millions of unfilled positions over the next few years,” said Franklyn Jones, CMO of Cequence.
Where Are the Gaps?
While it’s well-known that the talent gap continues to widen, staffing is not the only gap holding organizations back from strengthening their cybersecurity posture. In fact, 60 percent of respondents said that they are challenged by insufficient visibility across IT asset types, especially unmanaged assets.
“Visibility is everything, yet the legacy systems we have in place today to measure program success aren’t meeting the needs of the modern enterprise,” said George Wrenn, CEO of CyberSaint Security.
Many organizations report multiple challenges keeping up with fundamental software vulnerability mitigation and patching. For example, a majority (61 percent) reported that their organizations have inadequate context on the business impact of a breached vulnerable asset.
“Quantifying and linking risks to business impact has been a need in the information security community and has especially grown over the last few years, as business leaders know the importance of protecting their critical assets and customer data,” Wrenn said. “In the wake of breaches such as Equifax, Target and others that led to business impact—whether reputational or financial—boards of directors, CEOs and CFOs need visibility in to their cybersecurity posture.”
Also concerning is the finding that 67 percent of survey participants said they do not feel they have the time and resources to mitigate all vulnerabilities to avoid a data breach. When asked if they have the ability to act on the large number of resulting alerts, 63 percent said no, which the respondents admitted was problematic.
No Patch, No Problem?
While it’s understandable that so many security teams are overwhelmed with the number of alerts they see every day, “security teams are not running their vulnerability management scans frequently enough,” according to the report.
Also worrisome is that 69 percent of participants said they scan for vulnerabilities only once a month or less frequently. Even more eye-opening is the finding that only 15 percent of respondents said their patching efforts are highly effective.
“These statistics are telling, as this type of attack vector is often the easiest way for an adversary to get in, as sample exploit code for such attacks is widely available for anyone to download and weaponize. What this means is that in enterprises operating this way, an Equifax-like breach is just one bad click away,” the report noted.
Patching is, according to the report, both fundamental and key to an organization’s security posture; however, less than half of the respondents said that keeping patches up-to-date is a proactive approach to avoiding breaches.
Moving Toward Maturity
To address the skills gap, “IT organizations need to consider augmenting their staff with security tools that use advanced automation like machine learning and behavioral analysis,” Jones said. “These types of tools can assist understaffed, overworked security teams in the discovery, analysis and mitigation of potential breaches to their networks.”
Legacy systems will continue to plague organizations as they present increasing risks to the business that must be mitigated to avoid data breaches. “In today’s highly complex cybersecurity risk landscape, giving all business stakeholders useful infosec program information to inform decision-making at the highest levels is the means to building resiliency with a top-down approach,” Wrenn said.
Through an integrated risk management program, companies can work toward resiliency, but such a program would have to use financial metrics, risk quantification, simplification and automation to communicate to any stakeholder, Wrenn said. “The business impact of a myriad of breach possibilities for the business should be clear and visible, so that security teams can mitigate those risks faster, and with more agility.”
