Panaseer, a security posture management company specializing in Continuous Controls Monitoring (CCM), has released the third edition of its Security Leaders Peer Report. The report examines the concerns and constraints of chief information security officers (CISOs) other senior cybersecurity leaders across the U.S. and U.K.
The survey, conducted by Censuswide, polled more than 800 people from large organizations, finding that almost 9 in 10 security leaders see the failure of controls as the primary reason for data breaches, according to a prepared statement.
Additionally, 79% of enterprises have experienced cyber incidents that should have been prevented with existing safeguards. As a result, most breaches are preventable but are still occurring, and security leaders are becoming increasingly frustrated, Panaseer said.
Panaseer’s report examines how security professionals are personally impacted by the high-pressure environment they work in. Many revealed that a lack of visibility and understanding of their security posture is the leading cause of their frustrations.
The inability to continuously measure enterprise-wide security posture and identify control failures ranked as No. 1, with 70% of respondents “frustrated,” the report stated. Incidents that should have been stopped by an expected control followed closely, with 68% “exasperated by this inability to stop preventable breaches.”
Manual Collection of Security Data Increased
Each year, Panaseer’s report also looks at how much time security teams dedicate to manually collecting and reporting on security data. This year, Panaseer found that teams spend 59% of their time on these tasks — a 9% increase on the previous year's research and a 64% rise from the first survey in 2019. In fact, 70% of security teams now spend more than half of their time on manual reporting, leaving less time for threat detection and vulnerability patching.
Andreas Wuchner, Field CISO at Panaseer, stressed the imperative for security teams:
"To effectively reduce the significant amount of time spent manually reporting, CISOs and their teams need to be looking to automation. As well as freeing up qualified security professionals to dedicate time to higher value tasks — from threat detection to business continuity planning — automation provides the road to accurate, trustworthy data. We need to prioritize the maturation of automation, metrics and risk management in order to help teams cope with heavy reporting workloads."
Measuring Risk
In overcoming the issue of preventable breaches and frustrated security teams, only 44% of organizations are extremely confident in their ability to continuously measure their control gaps, Panaseer reports. Respondents pointed to a lack of internal resources (39%), inability to evidence remediation (38%), ineffective tooling (34%) and poor control failure visibility (34%) as the reasons behind this lack of confidence.
However, 82% agree that monitoring and addressing expected controls failure and risk would likely have a bigger impact on their security posture than buying additional tools, Panaseer found. This is particularly pertinent given the issue of tool sprawl, as Panaseer’s two previous reports showed that it's not uncommon for organizations to use more than 75 or even 100 security tools.
Fortunately, awareness of how these control failures can be addressed is growing, Panaseer asserts. For that matter, 88% of security leaders stated they are likely to implement a CCM platform in the next two years — a solution critical to measuring and advising on security control effectiveness. That compares to 79% who said the same in 2022.
More Findings From The Report
Other key findings from Panaseer’s report points toward a lack of confidence in what to measure to improve security posture. For example:
- Nearly all (99%) security leaders are actively engaged in trying to benchmark their security metrics, policies and standards. But almost three-quarters (72%) admit they are not absolutely satisfied with their ability to do so currently
- Less than half of respondents are highly confident they are continuously evaluating best practice security metrics specifically aligned to their organizational size and industry
- Of the remainder, 47% simply don't know the right metrics to monitor, and 51% don't have the resources to help them do it.