Findings of a comprehensive study that uncovers a high level of confusion regarding security issues in the network infrastructure. Nearly 60% of the 350 C-level executives surveyed believe they can “truthfully assure the board beyond a reasonable doubt” that their organization is secure, a surprising show of confidence in an environment where many reports reveal a high incidence of network breaches in up to 97% of all companies. The RedSeal study highlights one major reason for this disconnect: Less than a third of all respondents, 32%, claim they have full visibility into their global network.
In perhaps the most striking finding, a staggering 86% of the respondents acknowledge gaps in their ability to see and understand what’s really happening inside the network. At the same time, 79% admit that it’s impossible to effectively secure what can’t be seen and understood. When asked if they “know for a fact that their network is currently under attack by hackers,” 29% said yes. That leaves open the question of what the remaining 71% actually know regarding current threats. “It’s remarkable how many executives say their networks are secure—until we drill down into the issue, and it becomes obvious not only that there are vulnerabilities, but also that many organizations have no idea where those weak spots are,” said Ray Rothrock, chairman and CEO of RedSeal. “This is exactly why corporations get breached so often even though they’ve invested in excellent security products. Security is a strategic, top-level issue, and it needs to be treated as such by the entire organization. The network is the business.”
The RedSeal research also reveals a lack of understanding about what strategic security actually entails. Almost half the executives assert that security is strategic to their businesses, yet almost three-quarters, 72%, say that security products (anti-virus, firewalls, monitoring, etc.) are necessary but not strategic to their business. Meanwhile, fully 84% agree that intra-company siloes (separate groups for security and networking operations) and inter-product siloes (disparate products, technologies, reporting) create wide gaps that prevent a truly secure environment. Those are the very concerns that could be overcome with a more strategic approach.
The study’s findings make clear that to ensure optimal security, organizations need a strategic approach that blends top-tier technologies with operations and policies that enable full network transparency. Specifically:
* 94% of the respondents say that “If I could clearly understand all the possible ways attackers can get in and out of my network -- with clear, simple instructions about what should be fixed first, second, third etc. -- that, to me, would be a strategic security solution and critical capability.”
* 95% of the respondents say that “If I could get the kind of intelligence that would let me comprehensively see and verify our overall state of security that, to me, would be a strategic security solution.”
* The vast majority of the respondents, up to 95%, say that to achieve critical and highly strategic security capabilities, enterprises will have to obtain “the kind of intelligence that lets them comprehensively see and verify their overall “state of security;” have the ability to tell ‘at a glance’ whether or not their security investments are working correctly or optimally; and gain the visibility to clearly see and understand all the possible ways attackers can get to high-value data—including the paths in and out of the network—with clear, simple instructions about what needs to be fixed first, second, third, etc.
* “Cybercrimes have now become so commonplace that the issue sometimes doesn’t get the attention it should, and that’s a huge mistake,” said Richard Stiennon of IT-Harvest. “If you have high confidence that you will not be breached, you are doing something wrong, or more likely, not doing all you should be doing. Security should be addressed as a strategic concern by every high-ranking executive and board member.”
The RedSeal study surveyed more than 350 C-level executives. All of them are at organizations with 250 or more employees, and at least 20% lead companies with more than 1,000 employees. The responses offer a clear view into corporate America’s thinking regarding cybersecurity concerns and the different approaches enterprises take to the issue.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program