Lack of Security Capabilities Plagues IT's C-Suite Buy-in Efforts

Written by

Talk about burying one’s head in the sand: research is showing that one third of CEOs and other C-level executives are completely in the dark about cyber-attacks against their companies—despite the fact that 63% of respondents admitted that their companies had been the victims of one or more advanced attacks during the past 12 months.

A Ponemon Institute survey sponsored by Cyphort found that part of this lack of senior executive awareness goes back to a lack of security capabilities. A full 39% of respondents don’t believe their company has the necessary intelligence to make a convincing case to the C-suite about the threats facing their company. 

Case in point: About a fifth (21%) of respondents take anywhere from one to two+ years to detect attacks. And more than a quarter (27%) take up to six months to contain breaches.

“The study results are fascinating[. Despite] such catastrophic data breaches as Target and Sony, cyber threats are not getting appropriate attention from senior leadership they deserve,” said Larry Ponemon, chairman and founder of Ponemon Institute. “Companies are still struggling to have an effective strategy to prevent and detect malware and advanced threats.”

Indeed, getting malware attacks under control continues to be a challenge for companies. A majority, 68% of respondents, say their security operations team spends a significant amount of time chasing false positives.

On average, 29% of all malware alerts received by their security operations teams are investigated, and an average of 40% are considered to be false positives. Only 18% of respondents say their malware detection tool provides the level of risk for each incident.

As a result, a third (33%) of endpoint re-images or remediates are performed without knowing whether the device was truly infected. More than half (51%) of respondents say their organization reimages endpoints based on malware detected in the network rather than tied to a specific device.

“One recommendation is for organizations to significantly reduce the time spent on false positives and irrelevant threats in their network,” the analyst said. “In our opinion, the effective solutions are the ones who smartly combine next generation network-based sandboxing and network behavior anomaly analysis. ”

In general, 76% of companies lack visibility of threat activity across the network. Sixty-three% have an inability to prioritize threats. Fifty-five% of companies lack in-house expertise.

And even worse, the report uncovered that 13% of companies expect their 2016 security budget to actually decrease.

The average 2016 cybersecurity budget is approximately $16 million; 50% say their budget will stay the same and 37% expect their budget to increase in 2016.

Out of the security budgets, 34% will be allocated to incident response efforts.

There was a sliver of good news in the report: nearly 30% of companies were able to discover the attack against their company in anywhere from one to eight hours after it occurred, and 28% of companies were able to contain the breach in that same timeframe.

Photo © Rido

What’s hot on Infosecurity Magazine?