More than half of enterprises don't know if their security tools are working
According to a new report, 53 percent of enterprise security leaders don't know if their security tools are working, despite massive spending.
The study carried out for continuous validation specialist AttackIQ by the Ponemon Institute shows companies surveyed are spending an average of $18.4 million annually on cybersecurity and 58 percent will be increasing their IT security budget by an average of 14 percent in the next year.
Yet 63 percent of respondents say they've observed a security control reporting that it blocked an attack when it actually failed to do so. In addition only 39 percent of respondents think they are getting full value from their security investments.
"The significant number of security experts who have observed a security control falsely reporting it blocked a cybersecurity attack is alarming," says Larry Ponemon, founder and chairman of the Ponemon Institute. "When processes and solutions like this fail, many companies respond by throwing more money at the problem. Further security spending needs to be put on hold until enterprise IT and security leaders understand why their current investments are not able to detect and block all known adversary techniques, tactics and procedures."
According to the findings companies deploy on average 47 different cybersecurity solutions and technologies. However, less than half of IT experts are confident that data breaches can be stopped with their organization's current investments in technology and staff. 56 percent of respondents say a reason data breaches still occur is because of a lack of visibility into the operations of their security program.
In addition only 41 percent of respondents say their IT security team is effective in determining gaps in IT security infrastructure and closing those gaps, while 75 percent of respondents say their IT security team is unable to respond to security incidents within one day.
"Companies are spending far too much money on cybersecurity solutions without knowing if they are effective," says Brett Galloway, CEO of AttackIQ. "More than half of the experts surveyed admit they are in the dark about how well the technologies they have are working and if they're truly effective, which is alarming considering companies are relying on these technologies to protect sensitive information including customer data. Organizations must be certain their security measures can effectively prevent critical infrastructure disruption, and AttackIQ was created specifically to meet this need. AttackIQ operationalizes the industry standard MITRE ATT&CK framework to systematically test the efficacy of companies' security programs, and identifies gaps in coverage or configurations."
The full report is available from the AttackIQ site.