Even though 60% of executives said in a recent survey that they believe they can “truthfully assure the board beyond a reasonable doubt” that their organizations are secure, the reality is that up to 97% of organizations have been breached.
A study from security analytics company RedSeal of C-level CEOs, CIOs and CISOs/CSOs found that, after digging a little deeper, less than a third of all respondents, 32%, claim they have full visibility into their global network.
And in fact, 86% admit there are gaps in their ability to see and understand what’s really happening, which prevents high-level security.
A full 84% say there are silos that create huge obstacles for a highly secure environment (for example, operations separated by groups, disparate products and technologies, and monitoring and reporting tools). And 79% agree that you simply cannot secure what you can’t see or understand.
When asked if they “know for a fact that their network is currently under attack by hackers,” 29% said yes. That leaves open the question of what the remaining 71% actually know regarding current threats.
“It’s remarkable how many executives say their networks are secure—until we drill down into the issue, and it becomes obvious not only that there are vulnerabilities, but also that many organizations have no idea where those weak spots are,” said Ray Rothrock, chairman and CEO of RedSeal. “This is exactly why corporations get breached so often even though they’ve invested in excellent security products. Security is a strategic, top-level issue, and it needs to be treated as such by the entire organization. The network is the business.”
The RedSeal research also reveals a lack of understanding about what strategic security actually entails. Almost half the executives assert that security is strategic to their businesses, yet almost three-quarters, 72%, say that security products (anti-virus, firewalls, monitoring, etc.) are necessary but not strategic. Meanwhile, fully 84% agree that intra-company siloes (separate groups for security and networking operations) and inter-product siloes (disparate products, technologies, reporting) create wide gaps that prevent a truly secure environment. Those are the very concerns that could be overcome with a more strategic approach.
The study’s findings make clear that to ensure optimal security, organizations need a strategic approach that blends top-tier technologies with operations and policies that enable full network transparency.
Almost all (94%) of the respondents say that “If I could clearly understand all the possible ways attackers can get in and out of my network—with clear, simple instructions about what should be fixed first, second, third, etc.—that, to me, would be a strategic security solution and critical capability.”
Similarly, 95% of the respondents say that “If I could get the kind of intelligence that would let me comprehensively see and verify our overall state of security that, to me, would be a strategic security solution.”
And, the vast majority of the respondents, up to 95%, say that to achieve critical and highly strategic security capabilities, enterprises will have to obtain “the kind of intelligence that lets them comprehensively see and verify their overall “state of security;” have the ability to tell ‘at a glance’ whether or not their security investments are working correctly or optimally; and gain the visibility to clearly see and understand all the possible ways attackers can get to high-value data—including the paths in and out of the network—with clear, simple instructions about what needs to be fixed first, second, third, etc.
“Cybercrimes have now become so commonplace that the issue sometimes doesn’t get the attention it should, and that’s a huge mistake,” said Richard Stiennon of IT-Harvest. “If you have high confidence that you will not be breached, you are doing something wrong, or more likely, not doing all you should be doing. Security should be addressed as a strategic concern by every high-ranking executive and board member.”