How misplaced confidence is driving up cyber risk, and what CISOs can do about it

Security leaders are used to pressure. They face a perfect storm of increased regulatory compliance and an explosion in cyber-threats, which has put security and risk programmes under intense scrutiny. Yet unfortunately, as a new study from Forrester Consulting reveals, many of them are suffering from misplaced confidence that the abundance of technology investments they have made has strengthened their security posture.

To overcome this disconnect between perception and reality, security leaders need to understand that having multiple, traditional solutions in place will not enable them to take a proactive approach to cybersecurity. Instead of more tools, they need the right tools, and a unified, Continuous Controls Monitoring (CCM) platform.

Cost and complexity

We all know the threat landscape has rapidly evolved over the past few years, driven by a cybercrime economy said to be worth an estimated $1.5 trillion per year. Today’s budding hackers have all the tools and expertise they need at their disposal on dark web markets. Service-oriented packages for banking trojans, data theft and more mean many do not even need to be technical experts to reap the rewards of cybercrime. One vendor blocked nearly 27 billion threats in the first half of 2019 alone, recording large surges in BEC, phishing, fileless attacks, ransomware and more.

In response to this increasingly professionalised cybercrime challenge, CISOs have invested in a range of cross-domain security tools: everything from SIEM and vulnerability management to GRC platforms, and security analytics. In larger organisations, the picture becomes even more complex, especially if the enterprise has grown through acquisition. It’s not uncommon to find duplication of security tools, with offices in different jurisdictions potentially using products with similar functionality but from different vendors. This adds cost and complexity and can lead to coverage gaps.

As if that weren’t enough, there’s the growing burden of compliance. The pan-European GDPR and NIS Directive were two notable additions in 2018, but the reality is that most multi-nationals face a confusing patchwork of multiple regulatory compliance requirements to manage. Major GDPR fines levied recently on Marriott International and British Airways have made boardrooms increasingly reliant on IT, security and risk teams to demonstrate that they have the best interests of their customers at heart.

Misplaced confidence

That Forrester Consulting study, commissioned by Panaseer in June, reveals that all global companies are quite rightly responding to these challenges by prioritising security and risk programmes and investing in security and risk automation. Yet in doing so, most are relying on multiple tools including: security analytics; vulnerability management; governance, risk, and compliance (GRC); and vendor risk management platforms.

Unfortunately, this has not led to improved security — it has only created a false sense of security.

Some 86% of IT security leaders are confident or very confident they have no gaps in their security controls, yet over half admit that fixing coverage gaps is their biggest challenge. What’s more, over three-quarters (78%) say they take a centralised risk management approach across their organisation, yet the multiplicity of siloed tools they use will make this extremely difficult.

In reality, the vast majority (97%) of organisations Forrester Consulting spoke to are experiencing challenges with their heterogeneous mix of tools because they are too reactive. They often integrate poorly, meaning CISOs can’t gain a holistic view of inventory and controls; they don’t provide continuous visibility, for example into whether security controls are performing within policy; and they force teams to rely on manual, time-consuming reports.

Towards continuous monitoring

It’s not hard to see how this could severely impact the role of the security team: undermining efforts to understand enterprise risk, demanding the time of security staff who would be more use strategically elsewhere, and increasing the risk of damaging breaches. Yet given the complexity of modern enterprises, and the sheer volume of IT assets and security functions to be managed, how realistic is gaining real-time visibility of assets, security controls, and the effectiveness of those controls?

The good news is that such functionality exists today. Continuous Controls Monitoring platforms ingest data from multiple IT and business sources via scores of connectors, and then automatically normalise, aggregate, de-duplicate and correlate it to produce an accurate cross-security domain composite view of all assets, people and data sets. With this, security teams can finally gain the visibility and control they need: to ensure all IT assets are covered by security controls, and that these controls are working as they should.

This means control over everything from inventory gaps and vulnerabilities to endpoint security, privileged access, patching, application security, and user awareness. Crucially, CCM enables automated enterprise-wide security assessments, so that organisations can proactively resolve any control incidents before they escalate to become a security incident.

Time to get real

It’s no surprise that 100% of the IT security leaders Forrester Consulting spoke to expect to drive benefits from proactive and continuous risk identification, prioritisation, and remediation. In a world of increasingly agile, determined and well-resourced attackers, one mistake or security blind spot could result in a catastrophic service outage or data breach.

This means understanding that ploughing funds into more security tools doesn’t necessarily mean more proactive, enhanced cybersecurity. For real-time visibility and streamlined, automated security reporting, Continuous Controls Monitoring is increasingly the right destination.