Overinvestment breeds overconfidence among security pros

CISOs have made an abundance of security investments in multiple suppliers, but this might not be the right approach

The average enterprise has spent so much money on disparate cyber security systems that security professionals may be victims of overconfidence in their security posture, which could be making it harder for them protect their environments, according to a study of 250 decision makers conducted by Forrester for Panaseer, a supplier of continuous control monitoring platform services.

Respondents to the survey said they employed a wide variety of security tools and technology, but according to Panaseer, this leaves them with “point-in-time assessments” that force them to cobble together data from various systems to truly understand their security posture. It said this approach was “reactive, labour-intensive and insufficient in scale”.

Moreover, it led to a disconnect between appearances and reality – 86% of respondents said they were either confident or very confident that they had no gaps in their security controls, whereas in reality this was clearly very unlikely to be the case.

Panaseer said the complexity of modern day IT infrastructures and the general heterogeneity of security tools made it harder to protect businesses, and 97% of security professionals experienced challenges through taking this approach – some of the most commonly cited including controlling coverage gaps (56%), viewing a comprehensive list of assets (43%), and collecting and correlating data (39%).

The firm’s chief marketing officer, Sean Goldstein, said the problem of overconfidence was obviously widespread. “The tooling people have invested in is not necessarily hitting everything people think it is, leaving previously unknown risk and not maximising their investments,” he said.

“Security is a hard thing to do well in a large environment because there are lots of devices, people and servers that need protection,” Goldstein told Computer Weekly during a conversation ahead of the report’s publication.

“A good example of this is exactly what happened in the Nasa breach – there was an unknown asset on the network without any safeguards or controls, and someone was able to infiltrate the Nasa environment through it.”

Goldstein conceded that it was hard to get an accurate view of every potential security problem for a multitude of reasons. These could include the presence of shadow IT, as in the Nasa breach, or a security tool that for some reason stops hitting a particular asset – it can be hard to get a view into a problem if the tool doesn’t know it’s missing a problem.

This, he said, made the case for continuous monitoring clear. “Once you have a composite 360-degree view, you can roll it up to various levels to solve different problems that organisations have, starting with what is the truth of your posture,” he said. “You can see what’s not there, measure what is, and align your security.”

The study’s authors wrote: “Rightfully, companies are prioritising their security and risk initiatives and investing in multiple technologies. Unfortunately, technology investments have provided a false sense of confidence in their security posture. Security leaders must understand that a proactive approach to cyber security requires the right tools, not more tools.”

Read more about risk management

  • Most third-party risks are discovered after the initial due diligence period, Gartner study shows, highlighting the need for a new approach to risk management and the importance of effective access controls.
  • A third-party risk management program has to go beyond questionnaires and poorly designed policies. Learn what you should do to protect yourself against vendor security flaws and core risks.
  • Attackers know third parties hold many of the keys to the enterprise network, so third-party risk management is crucial for security professionals.

Read more on IT risk management