The disparity of technologies that enterprises use to secure their IT infrastructures don’t provide a complete, real-time view of cybersecurity risk, a Forrester survey reveals. The research also shows the abundance of deployed tools leads to a false sense of confidence.
64% of companies are making it a high priority to implement a risk framework aligning cybersecurity risk and enterprise risk, according to the survey of 250 senior security decision-makers. Most companies use multiple technologies to identify and mitigate enterprise risk, including security analytics, vulnerability management, governance, risk, and compliance (GRC), as well as vendor risk management platforms.
“Increasing the number of security technologies doesn’t translate to improved security, however … The abundance of technology investments gives firms a false sense of confidence in their security posture,” the report says.
Almost every respondent reported challenges with existing tools, including manual reporting, an incomplete view of asset inventory and controls, and the insufficient visibility inherent to point-in-time solutions.
Asked to name the technologies used to identify and understand enterprise risk, respondents said:
- Security and analytics platform (83%)
- Security information and event management (SIEM) technology (80%)
- Vulnerability management technology (70%)
- Governance, risk and compliance (GRC) platform (64%)
- Vendor risk management technology (61%)
- Third party risk intelligence feeds (57%)
While companies report confidence in their security management efforts, their challenges paint a different picture.
86% are confident they have no gaps in the disparate security controls deployed across devices, applications, people and data. And 78% say they take a centralized approach to risk management across their organizations.
“If true, this means they have a common risk taxonomy across the organization, manage technologies centrally, and aggregate and share risk data across business units,” Forrester researcher wrote. “The menagerie of disjointed technologies makes it difficult to aggregate risk data for reporting, often requiring manual effort. This, in turn, hinders them from having insight into their overall risk posture.”
Researchers found gaps between the challenges companies face with cybersecurity.
“In fact, challenges companies are experiencing indicate a gap in perception versus reality,” they said.
Asked to name those challenges, respondents pointed to:
- Controlling coverage gaps across security functions (56%)
- Viewing a comprehensive list of assets across the organization (43%)
- Collecting, normalizing, aggregating, deduplicating and correlating disparate data (39%)
- Tracking which assets and controls do not meet regulatory and compliance policies (39%)
- Determining the effectiveness of security controls (38%)
- Getting a real-time view of corporate risks (37%)
- Tracking performance of security controls over time (37%)
Companies are therefore increasing their risk of a data breach. The report concludes that, as technology investments provide a false sense of confidence, security leaders must understand that a strong cybersecurity posture means the right tools -- not more tools.