The newly released 2017 Tenable Network Security Global Cybersecurity Assurance Report Card, with research conducted by CyberEdge Group, updates findings from the 2016 Global Cybersecurity Assurance Report Card. With the addition of France, India and Japan, Tenable surveyed 700 security practitioners from nine different countries across seven industry verticals. The report assesses the overall confidence levels of information security professionals in detecting and mitigating organizational cyber risk.
Global trends
This year, overall confidence levels dropped by six points to a 70%, or a C-, reflecting a decline in perceptions of global cyber readiness, fueled by the challenges of assessing and mitigating cyber risks across the evolving threat landscape. According to the data, many IT security pros feel overwhelmed by the number of breaches, and are struggling to keep pace with cloud adoption, mobile computing, DevOps environments, containerization platforms, web apps and more.
Collectively, participants scored just 61% on the Risk Assessment Index, a 12-point drop from 2016, and 79% on the Security Assurance Index, which remains unchanged.
New to the 2017 report, containerization platforms and DevOps environments are a growing concern across all countries and industries. In fact, global cybersecurity practitioners gave themselves a D on their overall ability to assess risk, with failing grades for emerging tech, including containers (52%), DevOps (57%) and mobile (57%). Compared to last year, confidence in cloud security dipped seven points to 60% or a D-.
There isn’t one contributing factor to the massive decline in Risk Assessment scores; it’s a by-product of the ephemeral nature of assets and the expanding attack surface
The biggest takeaway, however, is that there isn’t one contributing factor to the massive decline in Risk Assessment scores; it’s a by-product of the ephemeral nature of assets and the expanding attack surface. The modern enterprise network includes mobile, cloud, web apps, internet of things, BYOD, containers and virtual machines that must be constantly maintained and secured. Technology drives innovation, but it also creates more complexities and room for vulnerabilities to work their way into the network.
While alarming, the 12-percentage point drop in Risk Assessment indicates that respondents understand the challenges of today’s complex and interconnected attack surface while acknowledging gaps in their ability to assess risk in emerging technologies.
Staying positive
Although overall confidence was down in five out of the six returning countries and five out of seven industries, levels of optimism remained comparable to last year, with 43% of respondents feeling “somewhat more optimistic,” compared to 38% last year.
Additionally, the two highest global Security Assurance Index scores were the ability of security professionals to measure security effectiveness: 83% or B, and the ability to convey risk to business executives and the board: 80% or B-.
This signifies a level of growth and maturity among security professionals, and their commitment to aligning security with business objectives. Higher Security Assurance grades mean that respondents feel comfortable talking about and reporting on network security, and sharing information with the c-suite.
The road to improvement
It’s more important than ever to have continuous visibility into all assets across cloud, hybrid and on-premises environments
What can security professionals do to improve Risk Assessment and Security Assurance scores? One of the best starting points is to know exactly what is on a network at all times. You can’t secure what you don’t know about, and in today’s highly distributed and complex IT landscape, it’s more important than ever to have continuous visibility into all assets across cloud, hybrid and on-premises environments. Staying ahead of the security challenges that accompany new trends and technologies is also a priority.
Change often occurs at the highest level, so it’s also important to measure security effectiveness and to communicate risk up the chain. One way for infosec pros to convince business executives that cybersecurity should be treated as a top business concern is to have the right metrics and reporting procedures in place, readily available and easily digestible for decision makers who lack in-depth security expertise. That starts with having a resilient security program with the right visibility and context needed to not only identify network threats, but also provide data and benchmarks to drive improvement.
More information
You can access the full 2017 Global Cybersecurity Assurance Report Card, download infographics and other assets, and read about the survey methodology in more detail on the 2017 Global Cybersecurity Assurance Report Card landing page. To compare year-over-year results, check out the 2016 Global Cybersecurity Assurance Report Card landing page and summary blog. And stay tuned for on-demand webinars coming in early January 2017.