A cybersecurity executive’s world is one crowded with decisions to make and learning curves to master around a range of growing threats. With that in mind, IronNet recently commissioned the independent research firm Vanson Bourne to interview 200 US security IT decision makers from industries including technology, telecoms, retail, financial services, government, media, utilities and many other sectors.
Our goal: to clarify the perceptions and the reality around cybersecurity solutions and how well they’re performing. You can download the survey results from our website, but essentially, the picture that emerges from our survey is one of an industry collectively to balance high confidence in current systems and practices against the need to continually improve and mature those systems. Let’s look at few of the survey’s top findings:
Confidence Amid Continued Vulnerability
The survey polled respondents — more than half of whom serve in C-level positions — on issues ranging from confidence and efficacy around their cybersecurity solutions and perceived vulnerabilities, to Artificial Intelligence and Machine Learning investment decisions and attitudes on collective defense and threat sharing. Among the study’s key findings: Respondents are most likely to rate their organization’s cybersecurity technology, systems and tools as advanced (85%). But critically, they still reported an average of one cybersecurity incident every three months. In fact, 80% said an attack severity was such that C-level/board meetings were required afterward.
As for their willingness to collaborate with others on collective defense, 94% of respondents say that their organization would be willing to increase the level of threat sharing with their industry peers if it demonstrably improved their ability to detect threats. And 92% of respondents say that they would increase their level of threat sharing with government if it enabled the government to use political, economic, cyber or other national level capability to deter cyber attacks.
All of this is happening in an environment where threat actors are increasingly sharing techniques and best (or worst) practices to make their attacks more profitable for themselves and more damaging to organizations. Because of this, our IronNet survey concludes that — in the face of adversaries who are increasingly collaborating for a collective offense — organizations must mature their collective defense to meet these powerful and ever-changing threats.
Meeting the Rising Threat of “Collective Offense”
It no longer takes a nation-state to mount a nation-state-grade attack. And threat actors are increasingly sharing techniques and best (or worst) practices to make their attacks more profitable for themselves and more damaging to organizations. It’s a collective offense that is testing the integrity of cyber defenses everywhere.
The rise of collective offense is troubling on a number of fronts — not least of which is the level of reported coordination among threat actors in the 2016 US election hacking with the help of third party intermediaries. Collective offense collaboration can come at the behest of nation-state actors and/or between various independent “cyber mercenary” groups. And to make matters worse, collaboration is happening not just before and during an attack — but also afterward, as cyber criminals share data from successful breaches and sell their exploit tools on dark web.
Against this backdrop — and as the IronNet survey by Vanson Bourne makes clear — while business concerns often vary from one industry to the next, there’s a surprising consensus when it comes to cybersecurity. Regardless of the industry, more than half of security IT decision makers reported concerns about data or IP theft (59%) and destructive attacks on their systems (58%).
These are followed by fears of attacks that cause business disruption (40%), include financial theft (37%), incur a large cost for recovery (36%) or result in damage to the organization's reputation (28%). Adding to the fears are doubts about the effectiveness of Artificial Intelligence or Machine Learning. Of the 27% who said their organization hasn’t invested in AI/ML in the past 12 months, the majority listed ROI among the top reasons for not making that investment.
That’s a lot of concerns to uncover in just one survey; and how successfully executives navigate these concerns seems closely tied to a few priorities and best practices the survey uncovered. We’ll take a closer look at those in a future post.