By: Judi Ritter Sutherland
RedSeal, a security analytics company, recently conducted a comprehensive study revealing nearly 60 percent of the 350 C-Suite level US executives surveyed believe they can “truthfully assure the board beyond a reasonable doubt” that their organization is secure.
Despite this confidence, RedSeal noted numerous studies have found most—up to 97 percent of organizations—are being breached. A further inconsistency is that 86 percent of those surveyed said there are gaps in their ability to see and understand what's really happening in their networks.
Furthermore, nearly three quarters of the respondents said they “don’t know for a fact that [their] networks are currently under attack by hackers.”
“It’s remarkable how many executives say their networks are secure—until we drill down into the issue, and it becomes obvious not only that there are vulnerabilities, but also that many organizations have no idea where those weak spots are,” said Ray Rothrock, chairman and CEO of RedSeal. “This is exactly why corporations get breached so often even though they’ve invested in excellent security products. Security is a strategic, top-level issue, and it needs to be treated as such by the entire organization. The network is the business.”
RedSeal attributed the major gap between perception and reality to treating network security as a technology issue rather than as a strategic enterprise-wide approach. The report reveals a lack of understanding about what strategic security actually entails.
For example, almost half the respondents asserted security is strategic to their businesses, yet 72 percent said security products—including anti-virus, firewalls, monitoring, etc.—are necessary but not strategic to their business.
The study emphasized that achieving optimal security requires organizations to build and utilize a strategic approach to network security that blends top-tier technologies with operations and policies that enable full network transparency.
Specifically, the respondents indicated a strategic security solution requires an understanding of all the possible ways attackers can get in and out of their network, as well as a clear understanding of how to fix network security problems that do occur.
The surveyed executives also said strategic security requires obtaining the kind of intelligence that would allow them to comprehensively see and verify their organization’s overall state of security. They would also like to have the ability to tell "at a glance" whether or not their security investments are working correctly or optimally.
“Cybercrimes have now become so commonplace that the issue sometimes doesn’t get the attention it should, and that’s a huge mistake,” said Richard Stiennon of IT-Harvest. “If you have high confidence that you will not be breached, you are doing something wrong, or more likely, not doing all you should be doing. Security should be addressed as a strategic concern by every high-ranking executive and board member.”