With nation-state cyber attacks, malware intrusions and massive data breaches in the news every day, it is no surprise that cybersecurity is top of mind for organisations everywhere. Historically, security has only been a concern for the IT department, but over the last decade it has slowly become a strategic business requirement at the board and executive level. As a result, security professionals are being held accountable to the business in unprecedented ways.
The 2017 Tenable Global Cybersecurity Assurance Report Card reveals the pressures security teams are feeling today. The report measures the human IT landscape and is designed to gauge the confidence levels, attitudes and beliefs of IT security professionals, rather than the actual effectiveness of their security defences. Results show a marked decline in security teams’ confidence in assessing cybersecurity risks across key IT infrastructure components compared to last year.
Ever-growing complexity of the enterprise network landscape
With a modern enterprise network consisting of mobile, cloud, web apps, virtual machines, IoT and BYOD, networks are no longer static. The issue is not just one category of devices or apps and their individual risk, it is the totality of these assets and how they expand the corporate attack surface, creating new risks to the organisation.
Beyond the constant battle to improve visibility and manage risks for these assets, security professionals must also now address a new layer of complexity as organisations embrace the world of DevOps and containerization platforms.
Low confidence levels among cybersecurity professionals
Asia scored a D+ average in security assurance – reflecting the low confidence levels among cybersecurity professionals. It’s possible that security professionals are finally feeling the effects of near-daily data breach headlines and the constant uphill battle to keep pace with emerging technologies and proliferating threats. Despite vast expenditure on security products and services each year, data breaches continue to hit organisations around the world. Security teams worry whether their organisations will be next, and doubt their readiness even though they believe they have the funding and tools they need.
It might also be that security pros aren’t getting the kind of executive-level support they need to effectively implement their security programs. More than ever, it is critical that businesses and government organisations not only understand the threats aligned against them, but that they also possess a realistic assessment of their own cybersecurity strengths and weaknesses.
In the face of these constantly evolving challenges, security teams are facing higher expectations to contribute meaningfully to board-level decision-making.
Confidence starts from the top
This year’s research reveals that Asian security professionals aren’t as confident in executive and board-level commitment (average score of C-) as they are in their own ability to measure security effectiveness (C) and convey risks up the chain (C).
This is largely a by-product of the lack of support for and understanding of security issues among the C-suite. Executive-level reporting on organisational risk posture is essential to enable senior business leaders to make informed decisions necessary to meet modern security challenges. When a CEO or the board has a responsibility to secure the business, they will be more likely to set up policies for adopting security controls and frameworks that implement industry best practices to strengthen the overall security posture.
The problem is that security pros and the C-suite don’t always speak the same language. One solution is to bridge that gap with comprehensive security metrics reports that put technical language into easily relatable terms for non-technical audiences. Having the right metrics is crucial to convincing senior executives that cybersecurity should be taken as a high-level business concern, but it is up to the security practitioners to make these metrics readily available and easily digestible for people without in-depth security expertise.
Boosting confidence - Stick to the security basics
There is no silver bullet technology that will accurately respond to the evolving threat landscape. Instead, enterprises must stick to the foundations of good cybersecurity, these include:
Promote employee cybersecurity awareness — This one is essential and often forgotten. Employees are your first line of defence, which is why education across the enterprise is essential to keeping the adversaries out of your network. Making sure employees know how to identify and report spearphishing and malvertising campaigns is important, but organisations should also remember to restrict user access, privileges and credentials. This ensures that sensitive or critical systems are only accessible to those with proper clearances and limits the exposure to threats.
Know your network — Visibility is the foundation of good cybersecurity. That’s why it’s crucial to inventory all of your hardware, software, virtual machines and cloud instances. And be sure to continuously monitor your IT environment. Periodic scanning is no longer enough — organisations need active, passive and log/event correlation to detect threats faster and with greater accuracy.
Have a plan to secure it — Take a balanced approach to security. It’s fine to have different products from different vendors, but make sure they all talk to each other. Having an integrated security ecosystem enables visibility into all facets of your network, and ensures your security team has actionable insight.
Establish useful security metrics — Every security team should be able to answer the question: How secure are we? While each organisation is unique, it’s important that you set clearly defined security metrics that are specific to your industry, daily operations and risk tolerance. And make sure to communicate the overall security posture to the C-suite.
Article by Dick Bussiere, APAC technical director for Tenable Network Security.