56 percent of IT security pros admit their infrastructure has gaps
New research released by AttackIQ based on a study by the Ponemon Institute reveals some worrying trends on the level of accountability for IT security and a lack of confidence in determining the effectiveness of security technologies.
Ponemon surveyed over 570 IT and IT security practitioners in the US and finds 63 percent of survey respondents say their IT security leadership doesn't report to the board on a regular basis, and 40 percent say they don't report to the board at all.
In addition 63 percent of respondents say their IT security leadership needs better monitoring tools to improve their ability to communicate the effectiveness of security infrastructure and potential gaps to the C-suite and board. And 56 percent say their IT security infrastructure has gaps in coverage that allow attackers to penetrate its defenses.
Most struggle to measure the effectiveness of their security too. Only 24 percent of respondents say they have a mature measurement and metrics program, and 30 percent say they have a partial metrics program. 40 percent of respondents say they don't quantify and track the company's IT security posture at all. Even of those who have either a mature or partial measurement program, only 39 percent report the findings to the board.
"Data breaches and other security incidents continue to plague enterprises, shining a light on the need for companies to shift to a proactive approach to ensuring a strong security posture," says Brett Galloway, CEO of AttackIQ. "From this research, we know that almost half of companies don’t quantify and track their IT security posture at all, completely crippling their ability to confidently identify and remediate security gaps. AttackIQ not only allows organizations to systematically test the efficacy of their security programs and address any weaknesses in coverage or configurations but also to demonstrate improvement to cybersecurity posture over time. Senior leaders, including CEOs and board members, need accurate and comprehensive data in order to determine acceptable cyber risk levels and ensure their organization is positioned to prevent disruption to critical infrastructure."
You can register for a webinar to discuss the findings to be held on October 31st.