Here’s a disturbing bit of information: a large number of IT security leaders and teams don’t know if cyber security tools are working as they should, despite organizations investing millions of dollars in such technology each year.
These are among the key findings of a new research report from the Ponemon Institute, an organization that looks at a variety of cyber security issues and trends.
The firm surveyed 577 IT and IT security practitioners in the United States who are knowledgeable about their organization’s IT security strategy, tactics, and technology investments. It found that 53% of the respondents said IT and security teams do not know if tools are working as expected in terms of truly protecting the network.
On average, the organizations surveyed are spending $18.4 million on cyber security technology per year. That’s an extraordinary amount of money to be spending on technologies that might not even be delivering value to organizations. And more than half of the companies (58%) said they will be increasing their IT security budget, by an average of 14%, in the next year.
Despite implementing many different cyber security tools and services—on average, organizations deploy 47 different cyber security products and technologies—they are not confident that their technology investments, staff, and processes can reduce the chances of a data breach. In fact, less than half of the IT experts are confident that data breaches can be stopped with their organization’s current investments in technology and staff.
The report said this lack of confidence stems largely from uncertainty in the efficacy of cyber security tools and the ability of the security staff to identify gaps in security and respond to security incidents in a timely manner.
The main reason data breaches still occur is due to the skill of the attackers, according to 70% of the respondents. This is followed by the increased complexity of their security environment (66%). Sixty-five percent of respondents said the dynamically changing attack surface and lack of adequate security staff with the necessary skills can also lead to a data breach.
More than half of the respondents (56%) said data breaches occur because of a lack of visibility into the operations of their security program. Only 41% said their IT security team is effective in determining gaps in IT security infrastructure and closing those gaps.
Staffing and organizational silos are preventing security teams from responding to attacks. According to the findings, only 25% of respondents said the IT security team is able to respond to security incidents within one day. The primary obstacles are created by a shortage of in-house expertise and the lack of timely response and engagement with other departments and functions, according to the study.
In some cases, tools are providing faulty information to users, according to the report. A significant number of security experts (63%) have observed a security control falsely reporting that it had blocked a cyber security attack.
Obviously that’s a problem, because it can create a false sense of security for organizations. That could lead to devastating breaches that might have been preventable. And unfortunately when these shortcomings in tools emerge, the reaction is often to buy more tools.
“When processes and solutions like this fail, many companies respond by throwing more money at the problem,“ said Larry Ponemon, founder and chairman of Ponemon Institute. “Further security spending needs to be put on hold until enterprise IT and security leaders understand why their current investments are not able to detect and block all known adversary techniques, tactics and procedures.”
Only 48% of respondents said their organization leverages a continuous security validation (CSV) platform that allows them to determine how well security tools are performing. However, 68% of those respondents said their CSV platform is effective in finding security gaps.
The IT experts think penetration testing is effective in uncovering cyber security gaps. But many are not conducting penetration testing on a continuous basis. More than half (57%) of respondents said their IT security teams conduct penetration testing, and about two thirds said their penetration testing is very effective or effective in uncovering security gaps.
But almost one-third of the organizations surveyed have no set schedule for penetration testing, and only 13% conduct penetration testing daily.
On the bright side, nearly 40% of organizations said they are getting full value from their security investments. But that percentage is way too low considering how crucial it is for businesses to have a strong cyber security posture.