2017 Survey: Security Professionals Say Their Enterprises Score ‘Below Average’ in Ability To Assess Cyber Risks

A survey from Tenable Network Security finds infosec professionals rank their enterprise’s ability to assess cyber risks as C-Minus, or below average.  IDN looks at 2017 Global Cybersecurity Assurance Report Card, and why rapid adoption of containers, cloud, mobile and IoT are causing some of the lack of confidence.  

Tags: BYOD, cloud, containers, cyber, database, DevOps, DMZ, hacks, IoT, mobile, risk assessment, security,

A recent survey of information security professionals found they have diminishing confidence in their organization’s ability to accurately assess cyber risk.


On average, the survey’s results, published as the 2017 Global Cybersecurity Assurance Report Card, found infosec professionals would rank their firm’s security acumen as a ‘C-Minus’ -- or below average, according to Cris Thomas, a strategist at Tenable Network Security, a security services provider to F1000 firms and producers of the survey.

  • The web-based survey was conducted this fall, and received 700 responses worldwide from professionals working at organizations with 1,000 or more employees. 
  • The survey asked respondents to assess their organization’s ability to assess cybersecurity risks across 10 key components of enterprise IT infrastructure.
  • Answers provided were used to calculate a “global index score” to reflect overall confidence that the world’s cyber defenses are meeting expectations.
  • The findings, aggregated in the 2017 Global Cybersecurity Assurance Report Card, gave global cybersecurity readiness a “C-Minus” average with an overall score of 70 percent.

The poor ‘readiness score’ can be blamed in part of the rate of rapid change across so many IT domains, notably, cloud, mobile, IoT and newer fields such as DevOps and containerization, Tenable’s Thomas said.  


“The data indicate that a lot of organizations lack the visibility they need to feel confident in their security posture. It’s pretty clear that newer technologies like DevOps and containers contributed to driving the overall score down, but the real story isn’t just one or two things that need improvement, it’s that everything needs improvement,” he said.


Here are some key (and sobering) findings from 2017 Global Cybersecurity Assurance Report Card:

Cloud Darkening – Grade D-Minus: Cloud software as a service (SaaS) and infrastructure as a service (IaaS) were two of the lowest scoring areas of capable risk assessment in last year’s (2016) report.  Cloud, for all the efforts to improve security and visibility, remains dark and murky, the latest survey found.


For the 2017 report, SaaS and IaaS were combined with platform as a service (PaaS) to get a fuller picture new “cloud environments.” Taken together, this new component dropped 7 points from 2016’s report scoring 60 percent (a dismal D-).  


A Mobile Morass – Grade F:  Another big weakness from last year’s report, risk assessment for mobile, also got weaker.  The confidence in risk assessment for mobile devices is a failing (F) grade – dropping eight points from 65 percent to 57 percent. Users want to access corporate applications and data using their personal tablets and smartphones, but implementing a bring-your-own-device (BYOD) policy can leave IT environments vulnerable, unless these devices are properly secured.


DevOps – Grade F:  A new addition, DevOps environments, also starts out with big security concerns.    Even though DevOps is poised to offer big benefits in transforming the way software teams can better collaborate through increased consistency and automation, it is introducing “major new security concerns” to survey respondent.  A mere 57 percent express confidence in the ability to assess security during the DevOps process.


Containerization Technology - Grade F:  Adoption of containerization technologies (such as Docker) is also exploding as organizations look to accelerate innovation cycles and reduce time-to-market.  That said, only 52 percent of respondents felt that their organization had a handle on how best to assess security risks when using these container environments.

Geographical and Vertical Disparities
Not all countries scored the same.  Across the nine countries surveyed, India scored a “B”, the United States a “C+”, while Japan with a “F” had the lowest grade of all.


Similarly, some industries are more prepared to do risk assessments than others. Responses from 19 industries were collected, the top seven industries accounting for 62% of the responses. Within these seven industries, the overall grades ranged from “C” for Retail, “C-“ for Financial Services, Manufacturing and Telecom, and “D” for Health Care, Education and Government.


Decline in Risk Assessment Confidence, But Glimmers of Hope
According to this year’s data, global cybersecurity confidence fell six points over 2016 to earn an overall score of 70 percent - a “C-” on the report card.


The overall decline in confidence, Thomas explained, is the result of a 12-point drop in the 2017 Risk Assessment Index, which measured the ability of respondents to assess cyber risk across 11 key components of the enterprise information technology landscape:   Among those areas are many key components to digital transformation: Cloud environments, Containerization platforms, Datacenter / physical servers, Datacenter / virtual servers, Desktops (PCs), DevOps environments, Laptops / notebooks, Mobile devices, Network infrastructure, Network perimeter / DMZ, and Web applications.


“For the second straight year, practitioners cited the ‘overwhelming cyber threat environment’ as the single biggest challenge facing IT security professionals today, followed closely by ‘low security awareness among employees’ and ‘lack of network visibility’,” Thomas added.

Reviewing what can be done, Tenable’s Nicole Cieslak wrote in a recent post:

What can security professionals do to improve Risk Assessment and Security Assurance scores? One of the best starting points is to know exactly what is on a network at all times. You can’t secure what you don’t know about, and in today’s highly distributed and complex IT landscape, it’s more important than ever to have continuous visibility into all assets across cloud, hybrid and on-premises environments. Staying ahead of the security challenges that accompany new trends and technologies is also a priority.

Original research for the 2017 Global Cybersecurity Assurance Report Card was conducted by CyberEdge Group, a research and marketing firm.  Readers can view or download the full survey report here.