Asian cybersecurity
confidence levels take a dip
confidence levels take a dip
Dick Bussiere, APAC technical
director
director
With nation-state cyber attacks, malware
intrusions and massive data breaches in the news every day, it is no surprise
that cybersecurity is top of mind for organisations everywhere. Historically,
security has only been a concern for the IT department, but over the last
decade it has slowly become a strategic business requirement at the board and
executive level. As a result, security professionals are being held accountable
to the business in unprecedented ways.
intrusions and massive data breaches in the news every day, it is no surprise
that cybersecurity is top of mind for organisations everywhere. Historically,
security has only been a concern for the IT department, but over the last
decade it has slowly become a strategic business requirement at the board and
executive level. As a result, security professionals are being held accountable
to the business in unprecedented ways.
The 2017 Tenable Global Cybersecurity
Assurance Report Card
reveals the pressures security teams are feeling today. The report measures the
human IT landscape and is designed to gauge the confidence levels, attitudes
and beliefs of IT security professionals, rather than the actual effectiveness
of their security defences. Results show a marked decline in security teams’
confidence in assessing cybersecurity risks across key IT infrastructure
components compared to last year.
Assurance Report Card
reveals the pressures security teams are feeling today. The report measures the
human IT landscape and is designed to gauge the confidence levels, attitudes
and beliefs of IT security professionals, rather than the actual effectiveness
of their security defences. Results show a marked decline in security teams’
confidence in assessing cybersecurity risks across key IT infrastructure
components compared to last year.
Ever-growing complexity of the enterprise
network landscape
network landscape
With a modern enterprise network consisting of
mobile, cloud, web apps, virtual machines, IoT and BYOD, networks are no longer
static. The issue is not just one category of devices or apps and their
individual risk, it is the totality of these assets and how they expand the
corporate attack surface, creating new risks to the organisation.
mobile, cloud, web apps, virtual machines, IoT and BYOD, networks are no longer
static. The issue is not just one category of devices or apps and their
individual risk, it is the totality of these assets and how they expand the
corporate attack surface, creating new risks to the organisation.
Beyond the
constant battle to improve visibility and manage risks for these assets,
security professionals must also now address a new layer of complexity as
organisations embrace the world of DevOps and containerization platforms.
constant battle to improve visibility and manage risks for these assets,
security professionals must also now address a new layer of complexity as
organisations embrace the world of DevOps and containerization platforms.
Low confidence
levels among cybersecurity professionals
levels among cybersecurity professionals
Asia scored a D+ average in security assurance –
reflecting the low confidence levels among cybersecurity professionals. It’s
possible that security professionals are finally feeling the effects of
near-daily data breach headlines and the constant uphill battle to keep pace with
emerging technologies and proliferating threats. Despite vast expenditure on
security products and services each year, data breaches continue to hit
organisations around the world. Security teams worry whether their
organisations will be next, and doubt their readiness even though they believe
they have the funding and tools they need.
reflecting the low confidence levels among cybersecurity professionals. It’s
possible that security professionals are finally feeling the effects of
near-daily data breach headlines and the constant uphill battle to keep pace with
emerging technologies and proliferating threats. Despite vast expenditure on
security products and services each year, data breaches continue to hit
organisations around the world. Security teams worry whether their
organisations will be next, and doubt their readiness even though they believe
they have the funding and tools they need.
It might also be that security pros aren’t
getting the kind of executive-level support they need to effectively implement
their security programs. More than ever, it is critical that businesses and
government organisations not only understand the threats aligned against them,
but that they also possess a realistic assessment of their own cybersecurity
strengths and weaknesses.
getting the kind of executive-level support they need to effectively implement
their security programs. More than ever, it is critical that businesses and
government organisations not only understand the threats aligned against them,
but that they also possess a realistic assessment of their own cybersecurity
strengths and weaknesses.
In the face of these constantly evolving challenges,
security teams are facing higher expectations to contribute meaningfully to
board-level decision-making.
security teams are facing higher expectations to contribute meaningfully to
board-level decision-making.
Confidence starts from the top
This year’s research reveals that Asian security
professionals aren’t as confident in executive and board-level commitment
(average score of C-) as they are in their own ability to measure security
effectiveness (C) and convey risks up the chain (C).
professionals aren’t as confident in executive and board-level commitment
(average score of C-) as they are in their own ability to measure security
effectiveness (C) and convey risks up the chain (C).
This is largely a by-product of the lack of
support for and understanding of security issues among the C-suite.
Executive-level reporting on organisational risk posture is essential to enable
senior business leaders to make informed decisions necessary to meet modern
security challenges. When a CEO or the board has a responsibility to secure the
business, they will be more likely to set up policies for adopting security
controls and frameworks that implement industry best practices to strengthen
the overall security posture.
support for and understanding of security issues among the C-suite.
Executive-level reporting on organisational risk posture is essential to enable
senior business leaders to make informed decisions necessary to meet modern
security challenges. When a CEO or the board has a responsibility to secure the
business, they will be more likely to set up policies for adopting security
controls and frameworks that implement industry best practices to strengthen
the overall security posture.
The problem is that security pros and the
C-suite don’t always speak the same language. One solution is to bridge that
gap with comprehensive security metrics reports that put technical language
into easily relatable terms for non-technical audiences. Having the right
metrics is crucial to convincing senior executives that cybersecurity should be
taken as a high-level business concern, but it is up to the security
practitioners to make these metrics readily available and easily digestible for
people without in-depth security expertise.
C-suite don’t always speak the same language. One solution is to bridge that
gap with comprehensive security metrics reports that put technical language
into easily relatable terms for non-technical audiences. Having the right
metrics is crucial to convincing senior executives that cybersecurity should be
taken as a high-level business concern, but it is up to the security
practitioners to make these metrics readily available and easily digestible for
people without in-depth security expertise.
Boosting
confidence – Stick to the security basics
confidence – Stick to the security basics
There is no silver bullet
technology that will accurately respond to the evolving threat landscape.
Instead, enterprises must stick to the foundations of good cybersecurity, these
include:
technology that will accurately respond to the evolving threat landscape.
Instead, enterprises must stick to the foundations of good cybersecurity, these
include:
Promote employee
cybersecurity awareness — This one is essential and often forgotten. Employees are your first line
of defence, which is why education across the enterprise is essential to
keeping the adversaries out of your network. Making sure employees know how to
identify and report spearphishing and malvertising campaigns is important, but
organisations should also remember to restrict user access, privileges and
credentials. This ensures that sensitive or critical systems are only
accessible to those with proper clearances and limits the exposure to threats.
cybersecurity awareness — This one is essential and often forgotten. Employees are your first line
of defence, which is why education across the enterprise is essential to
keeping the adversaries out of your network. Making sure employees know how to
identify and report spearphishing and malvertising campaigns is important, but
organisations should also remember to restrict user access, privileges and
credentials. This ensures that sensitive or critical systems are only
accessible to those with proper clearances and limits the exposure to threats.
Know your network
— Visibility is
the foundation of good cybersecurity. That’s why it’s crucial to inventory all
of your hardware, software, virtual machines and cloud instances. And be sure
to continuously monitor your IT environment. Periodic scanning is no longer
enough — organisations need active, passive and log/event correlation to detect
threats faster and with greater accuracy.
— Visibility is
the foundation of good cybersecurity. That’s why it’s crucial to inventory all
of your hardware, software, virtual machines and cloud instances. And be sure
to continuously monitor your IT environment. Periodic scanning is no longer
enough — organisations need active, passive and log/event correlation to detect
threats faster and with greater accuracy.
Have a plan to secure it
— Take a balanced
approach to security. It’s fine to have different products from different
vendors, but make sure they all talk to each other. Having an integrated
security ecosystem enables visibility into all facets of your network, and
ensures your security team has actionable insight.
— Take a balanced
approach to security. It’s fine to have different products from different
vendors, but make sure they all talk to each other. Having an integrated
security ecosystem enables visibility into all facets of your network, and
ensures your security team has actionable insight.
Establish useful security metrics
— Every security
team should be able to answer the question: How secure are we? While each
organisation is unique, it’s important that you set clearly defined security
metrics that are specific to your industry, daily operations and risk
tolerance. And make sure to communicate the overall security posture to the
C-suite.
— Every security
team should be able to answer the question: How secure are we? While each
organisation is unique, it’s important that you set clearly defined security
metrics that are specific to your industry, daily operations and risk
tolerance. And make sure to communicate the overall security posture to the
C-suite.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
