Nik Whitfield, CEO, Panaseer, tells us how CISOs grappling with numerous disparate tools should consider automation tools to help make their lives easier.
CISOs are currently suffering with compliance reporting overload. This is because organisations are subject to three critical market forces, which are fundamentally changing the cybersecurity sector. The first is that cloud and IoT technologies are significantly expanding and changing the surface that requires monitoring. The second is that regulatory mandates, such as GDPR, the SHIELD Act and the California Consumer Privacy Act, are increasing reporting requirements. Lastly, there is a skills shortage and security personnel are becoming scarcer.
To counter this, budgets and tools are on the increase. Analyst firm IDC expects organisations’ worldwide spending on security hardware, software and services in 2019 to increase 9.4% increase over last year. Spending will continue to grow at a compound annual growth rate of 9.2%, IDC said, and will top US$133 billion in 2022.
Research we conducted last year unveiled that the average enterprise CISO is running 57 separate security tools. Over a quarter (27%) claimed to be running a staggering 76+ discrete security products. Also, in our experience, major regulated companies such are banks are running 200 tools and more, and that this number is increasing.
So, we have an increasing attack surface, increasing reporting requirements and a major skills shortage. That’s why CISOs and their teams are suffering the tooling overload. But is this effective? That’s what we wanted to investigate when we commissioned a report in July to Forrester Consulting. The findings outlined that CISOs have a misplaced confidence that the abundance of technology investments they have made has strengthened their security posture.
As the study cites: “Rightfully, companies are prioritising their security and risk initiatives and investing in multiple technologies. Unfortunately, technology investments have provided a false sense of confidence in their security posture. Security leaders must understand that a proactive approach to cybersecurity requires the right tools, not more tools.”
So where is the disconnect? The issue is that, currently, security leaders employ a variety of tools and technologies to identify risks and test the effectiveness of their security controls. As a result, security leaders are left with point-in-time assessments that require them to cobble together data from disparate systems to truly understand the organisation’s security posture. This approach is reactive, labour-intensive and insufficient in scale.
This has led to a disparity between appearance and reality, whereby security decision makers are being given a false state of confidence. A total of 86% of security leaders surveyed by Forrester Consulting said that they are confident or very confident that they have no gaps in their security controls deployed across devices, applications, people, and data.
However, the complexity of today’s IT infrastructures and the heterogeneity of enterprise security tools make it difficult for security pros to protect their environments. In fact, 97% experience challenges with their tools because they take a traditional reactive approach to fighting cybersecurity threats.
When asked about the biggest challenges that they face with the security tools, the top responses include:
- Controlling coverage gaps across security functions (56%)
- Viewing a comprehensive list of assets across the organisation (43%)
- Collecting, normalising, aggregating, deduplicating and correlating disparate data (39%)
- Tracking which assets and controls do not meet regulatory and compliance policies (39%)
- Determining the effectiveness of security controls (38%)
- Getting a real-time view of corporate risks (37%)
- Tracking performance of security controls over time (37%)
As threat levels increase, 64% of security leaders surveyed said that they are making it a high or critical priority to implement a risk framework aligning cybersecurity risk and enterprise risk. However, the study identifies that one in five do not have a centralised approach for risk management.
The upshot is that we have so many security tools, we don’t know what they’re doing. Even worse, we’re burning cycles trying to work it out manually, increasingly driven by regulators. The answer is simple – automate the job.
The changing cyber market dynamics have created a clear market requirement for automated continuous controls monitoring, a new category of solution that provides real-time visibility of assets.
The ability to make informed operational security decisions based on trusted security data and metrics will enable security leaders to have real and validated confidence that the company and customer data is protected.