A new survey of cyber security decision-makers found a disparity between the low confidence held in risk data and the high trust in actions taken on it
Businesses are at increased risk of cyber attacks due to an inflated sense of confidence from security decision-makers on their ability to act on vulnerabilities, according to new research.
The study, for cyber security giant Tanium, found that only 51% of businesses believed they had full visibility on cyber risks and vulnerabilities, yet 80% said they felt confident they could act “instantly” on the results of a vulnerability scan.
A further 89% said they could report a breach — which involves information on the extent of accessed systems and data compromised — within 72 hours, despite the average falling to around 300 days.
Research and advisory firm Forrester Consulting, which conducted the survey, categorised this disconnect as “misplaced confidence” among cyber security decision-makers
Forrester Consulting vice president, research director, security & risk Joseph Blankenship said: “They don’t have the visibility and can’t see all of the endpoints, so if they’re only halfway confident in their visibility — how can they have full confidence they can take instant action?
“Only about half say they have full visibility of their assets, so how can they say ‘I can find a breach in 72 hours’ if they can’t even find the asset and they actually have to wait for another indicator in the security stack to tell them.
“This basically means that in a lot of cases we’re leaving security up to a coin flip because of that disparity between high confidence in process and low confidence in visibility.
“It begs the question ‘how can we have high confidence in our process if all of our processes and reporting is based on data we have low confidence in?'”
Forrester’s study was conducted across 415 global IT decision-makers responsible for cyber security in their organisations.
Low visibility caused by ‘strained relationships’ between IT and security teams
According to Forrester, one of the causes of the disparity between process and data aggregation is tension between the IT operations teams and security staff within a business.
The report showed 42% of survey respondents said they had “strained relationships” between the two teams, with a further 67% admitting that driving collaboration between them is a major challenge.
The result of this, according to Blankenship, is that tension prolongs the time it takes to address vulnerabilities with a patch — a software fix that closes loopholes used by attackers.
Based on the study, he said those who identified the relationship between their IT ops and security teams as “healthy” took an average of 28 days to fix a vulnerability – whereas those with “strained relationships” took an average of 37 days.
One area that compounds the issue of siloed information, according to Blankenship, is the breadth of tools used in cyber security.
“We also asked our survey respondents… ‘if we brought IT operations and security together on a single unified endpoint management security solution — would that be of interest to you?’,” he said.
The response was that 52% of businesses felt such a tool would improve communication between the two teams, and 54% believed this would result in decreased vulnerabilities.