To gauge the perceptions of security professionals on the state of security in their organizations, Cisco asked chief security officers (CSOs) and security operations (SecOps) managers in several countries and at organizations of various sizes about their perceptions of their own security resources and procedures. The Cisco 2017 Security Capabilities Benchmark Study offers insights on the maturity level of security operations and security practices currently in use, and also compares these results with those of the 2016 and 2015 reports. The study was conducted across 13 countries with more than 2900 respondents.
Security professionals want to make their organizations more secure, but in a way that responds to the complex attacker landscape and their adversaries’ efforts to expand their operational space. Many organizations are relying on many solutions from many vendors. This tactic adds to the complexity and confusion of securing networks as the Internet continues to grow in terms of speed, connected devices, and traffic. Organizations need to aim for simplicity and integration if they are to protect themselves.
Perceptions: Security Professionals Confident in Tools, Less Sure They’re Using Them Effectively
Most security professionals believe that they have adequate solutions on hand and that their security infrastructures are up to date. However, according to our study, this confidence comes with some uncertainty. These professionals are not always sure they can muster the budgets and brainpower to truly take advantage of the technology they have.
Threats to organizations are coming from every direction. Adversaries are nimble and creative, and they’re able to outfox defenses. Even in this sobering environment, the majority of security professionals feel confident that their security infrastructure is up to date, although that confidence appears to be waning a bit from previous years. In 2016, 58 percent of the respondents said their security infrastructure is very up to date and is constantly upgraded with the latest technologies. Thirty-seven percent said they replace or upgrade their security technologies on a regular basis but aren’t equipped with the latest-and-greatest tools (Figure 44
In addition, more than two-thirds of security professionals perceive their security tools as very effective or extremely effective. For example, 74 percent believe their tools are very or extremely effective in blocking known security threats, while 71 percent believe their tools are effective at detecting network anomalies and dynamically defending against shifts in adaptive threats (Figure 45
The problem: Confidence in tools does not necessarily transfer to effective security. As the study indicates, security departments are wrestling with complicated tools from many vendors, as well as a lack of in-house talent. This boils down to an “intent versus reality” problem. Security professionals want simple, effective security tools, but they don’t have the integrated approach they need to make this vision happen.
Security remains a high priority for the top levels of many organizations. And security professionals believe that executive teams keep security high on the list of key organizational goals. The challenge, of course, is to match executive support with the talent and technology that can affect security outcomes.
The number of security professionals strongly agreeing that their executive leadership considers security a high priority was 59 percent in 2016, down slightly from 61 percent in 2015 and 63 percent in 2014 (Figure 46
). In 2016, 55 percent of security professionals agreed that security roles and responsibilities are clarified within their organization’s executive team; in 2015 and 2014, 58 percent agreed.
In summary, security professionals have confidence in the tools on hand, and they appear to have the ear of corporate leaders in addressing security issues. But that confidence is waning slightly. Security professionals are becoming aware of attacker successes and the unwieldiness of managing the growing attack surface.Constraints: Time, Talent, and Money Affect the Ability to Respond to Threats
If security professionals are relatively confident that they have the tools needed to detect threats and mitigate damage, they also recognize that certain structural constraints stand in the way of their goals. A tight budget is a perennial challenge. But other constraints on effective security speak to the problems of simplifying and automating security.
In 2016, 35 percent of security professionals said that budget was their biggest obstacle to adopting advanced security processes and technology (a slight decrease from 2015, when 39 percent said budget was the number one obstacle), as seen in Figure 47
. As in 2015, compatibility issues with legacy systems was the second-most-common obstacle: 28 percent named compatibility in 2016, compared with 32 percent in 2015.
Money is only part of the problem. For example, compatibility issues speak to the problem of disconnected systems that don’t integrate. And concerns about the lack of trained personnel highlight the problem of having the tools but not the talent to truly understand what is happening in the security environment.
The struggle to find talent is a concern, considering the expertise and decision-making abilities needed to fight targeted attacks and shifting adversary tactics. A well-resourced and expert IT security team, paired with the right tools, can make technology and policies work together and achieve better security outcomes.
The median number of security professionals at the surveyed organizations was 33, compared with 25 in 2015. In 2016, 19 percent of organizations had between 50 and 99 dedicated security professionals; 9 percent had 100 to 199 security professionals; and 12 percent had 200 or more (Figure 48
).Outsourcing and the Cloud Help Stretch BudgetsMany security professionals participating in the benchmark study felt they were cashstrapped when making security purchases. They stretched their budget by outsourcing some tasks or using cloud solutions. They also relied on automation.
The number of security professionals varies by organizational size. As shown in Figure 49
, 33 percent of large enterprises with more than 10,000 employees had at least 200 security employees.
Whatever the constraints, security professionals need to ask hard questions about the barriers that limit their ability to face coming threats.
For example, when it comes to budget, how much is really enough? As survey respondents explained, security teams must compete against many other corporate priorities, even within the IT setting. If they can’t secure funds for more tools, then the budget they do have must work harder. For example, automation can be used to offset limited manpower.
Similar questions should be asked about the software and hardware compatibility problem. As compatibility issues multiply, how many different versions of software and hardware—most of which may not be operating effectively— must be managed? And how will security teams handle the multiple certification requirements needed?
Aside from those limitations, security professionals are also placing slightly less emphasis on security operationalization. This trend may raise concerns that security professionals are building a suboptimal security infrastructure. Signs of a weakening focus on operationalization can indicate that organizations are not prepared to defend a widening attack landscape.
For example, in 2016, 53 percent of the respondents strongly agreed that they review and improve security practices regularly, formally, and strategically; in 2014 and 2015, 56 percent strongly agreed. Likewise, in 2016, 53 percent said they strongly agreed that they routinely and systematically investigate security incidents, compared with 55 percent in 2014 and 56 percent in 2015 (Figure 50
If security professionals are slipping in their goals to put security into use, then it may not be a surprise that they can’t effectively deploy the tools they have, much less add new tools. If, as study respondents told us, they cannot use the technology that they already have on hand, they need simpler streamlined tools that automate security processes. And those tools need to provide a holistic picture of what is going on in the network environment.
The lack of integration in security can allow gaps of time and space, where bad actors can launch attacks. The tendency of security professionals to juggle solutions and platforms from many vendors can complicate assembling a seamless defense. As seen in Figure 51
, a majority of companies use more than five security vendors and more than five security products in their environment. Fifty-five percent of security professionals use at least six vendors; 45 percent use anywhere from one to five vendors; and 65 percent use six or more products.
If operationalization goals are slipping, if tools are not used at their maximum effectiveness, and if manpower is not robust, the result is faltering security. Security professionals are forced to skip the investigation of alerts simply because they do not have the talent, tools, or automated solutions available to determine which ones are critical and why they are occurring.
Perhaps due to several factors—such as the lack of an integrated defense system or the lack of staff time— organizations are able to investigate a little more than half the security alerts they receive in a given day. As shown in Figure 52
, 56 percent of alerts are investigated, and 44 percent are not investigated; of those alerts that are investigated, 28 percent are deemed legitimate alerts. Forty-six percent of legitimate alerts are then remediated.
To put the problem into more concrete terms, if an organization records 5000 alerts per day, this means:
- 2800 alerts (56 percent) are investigated, while 2200 (44 percent) are not
- Of those investigated, 784 alerts (28 percent) are legitimate, while 2016 (72 percent) are not
- Of the legitimate alerts, 360 (46 percent) are remediated, while 424 (54 percent) are not remediated
The fact that nearly half of alerts go uninvestigated should raise concern. What is in the group of alerts that is not being remediated: Are they low-level threats that might merely spread spam, or could they result in a ransomware attack or cripple a network? To investigate and understand a greater slice of the threat landscape, organizations need to rely on automation as well as properly integrated solutions. Automation can help stretch precious resources and remove the burden of detection and investigation from the security team.
The inability to view so many alerts raises questions about their impact on an organization’s overall success. What could these uninvestigated threats do to productivity, customer satisfaction, and confidence in the enterprise? As respondents told us, even small network outages or security breaches can have long-term effects on the bottom line. Even when losses were relatively minor and the affected systems were fairly easy to identify and isolate, security leaders regard breaches as significant because of the stress they put on the organization.
The stresses can affect organizations in many ways. Security teams must devote time to managing network outages that occur after a security breach. Nearly half of these outages lasted as long as 8 hours. Forty-five percent of the outages lasted from 1 to 8 hours (Figure 53
); 15 percent lasted 9 to 16 hours, and 11 percent lasted 17 to 24 hours. Forty-one percent of these outages affected between 11 percent and 30 percent of the organizations’ systems.Impact: More Organizations Experience Losses from Breaches
The effects of breaches aren’t limited to outages. Breaches also mean the loss of money, time, and reputation. Security teams who believe they will dodge this bullet are ignoring the reality of the data. As our study shows, almost half of organizations have had to cope with public scrutiny following a security breach. Given the attackers’ range of ability and tactics, the question isn’t if a security breach will happen, but when.
As the benchmark study shows, security professionals are jarred into reality when breaches occur. They often change security strategies or bolster defenses. Organizations that have not yet suffered a breach of their networks due to attackers may be relieved they’ve escaped. However, this confidence is probably misplaced.
Forty-nine percent of the security professionals surveyed said their organization has had to manage public scrutiny of a security breach. Of those organizations, forty-nine percent disclosed the breach voluntarily, while 31 percent said the disclosure was made by a third-party (Figure 54
). In other words, nearly one-third of the surveyed organizations were forced to deal with the involuntary disclosure of a breach. It’s clear that the days of quietly dealing with breaches may be long gone. There are too many regulators, media, and social media users who will expose the news.
The damage to organizations goes far beyond the time it takes to deal with a breach or outage. There are real and substantial impacts that enterprises should try mightily to avoid.
As seen in Figure 55
, 36 percent of security professionals said that operations was the function most likely to be affected. This means that core systems of productivity, which affect industries from transportation to healthcare to manufacturing, can slow down or even grind to a halt.
After operations, finance was the function most likely to be affected (cited by 30 percent of the respondents), followed by brand reputation and customer retention (both at 26 percent).
No organization that plans to grow and achieve success wants to be in a position of having critical departments affected by security breaches. Security professionals should view the survey results with an eye toward their own organizations, and ask themselves: If my organization suffers this kind of loss from a breach, what happens to the business down the road?
The opportunity losses for companies suffering online attacks are daunting. Twenty-three percent of the surveyed security professionals said that in 2016, their organizations experienced a loss of opportunity due to attacks (Figure 56
). Of that group, 58 percent said that the total opportunity lost was under 20 percent; 25 percent said the lost opportunity was 20 to 40 percent, and 9 percent said the lost opportunity amounted to 40 to 60 percent.
Many organizations can quantify the revenue losses they experience due to public breaches. As seen in Figure 57
, 29 percent of security professionals said their organizations experienced a loss of revenue as a result of attacks. Of that group, 38 percent said that revenue loss was 20 percent or higher.
Online attacks also result in fewer customers. As shown in Figure 58
, 22 percent of organizations said they lost customers as a result of attacks. Of that group, 39 percent said they lost 20 percent of their customers or more.Outcomes: Increased Scrutiny Will Play a Role in Security Improvements
As the survey results show, the impact of breaches can be long-lasting and widespread. If one assumes an organization will be affected by a breach at some point, the question is, what happens next? Where should management shift their attention and resources so that breaches are less likely to occur?
The aftermath of a breach is a learning opportunity, an experience that should not go to waste in terms of investing in better approaches.
Ninety percent of the security professionals said that a security breach drove improvements in threat defense technologies and processes, as shown in Figure 59
. Of those organizations affected by breaches, 38 percent said they responded by separating the security team from the IT department; 38 percent said they increased security awareness training among employees; and 37 percent said they increased their focus on risk analysis and mitigation.
Organizations recognize that they have to exercise creativity to move beyond the constraints of talent, technology compatibility, and budget. One strategy is to adopt outsourced services to strengthen the budget and also tap into talent that may not be in-house. In 2016, 51 percent of security professionals outsourced advice and consulting, while 45 percent outsourced incident response (Figure 60
). Fifty-two percent said they outsource services to save costs, while 48 percent said they do so to obtain unbiased insights.
As they do with outsourcing, organizations also rely on third-party vendors to augment their defense strategies. The security ecosystem provides them with ways to share the responsibility for security.
Seventy-two percent of the security professionals said that they rely on third-party vendors for 20 to 80 percent of their security, as seen in Figure 61
. Those organizations that rely heavily on outside help for security were most likely to say that they will increase their use of third-party vendors in the future.
As organizations take steps to strengthen their security posture, they can expect that more attention will be paid to their efforts. This scrutiny will come from influential audiences and therefore can’t be ignored. How these audiences’ concerns are addressed can have a significant impact on an organization’s ability to defend itself.
Seventy-four percent of the security professionals said scrutiny will come from the executive leadership; 73 percent, from clients and customers; and 72 percent, from employees, as seen in Figure 62
.Trust Versus Cost: What Drives Security Purchases?
Security professionals want the very best solutions for protecting their organizations, but their perceptions differ on how to create the ideal secure environment. Do they purchase best-of-breed solutions from a variety of vendors because they trust these solutions will solve many different problems? Or do they turn to an integrated architecture, because they believe this approach is more cost-effective? Although there are many drivers for security investments, greater simplicity can benefit every organization.
As seen in Figure 63
, the security professionals seem evenly split between trust and cost in choosing between best-of-breed and architected solutions. Sixty-five percent said they favor best-of-breed solutions because they trust them more than an enterprise architecture approach. On the other hand, 59 percent said they favor an architected approach because they believe it is more cost-effective. This isn’t an either/or dilemma. Organizations need both best-of-breed and integrated security solutions. Both approaches offer benefits and will simplify security while providing automated response tools (Figure 63
By combining best-of-breed solutions with an integrated approach, security teams can take steps toward less complex yet more effective security. The integrated approach helps security professionals understand what’s happening at every stage of defense. Such an approach reduces attackers’ operational space. It is simple, allowing teams to deploy solutions at scale. It is open, allowing for best-of-breed solutions as needed. And it’s automated for faster detection.
Summary: What the Benchmark Study Reveals
There is a world of difference between amassing security tools and actually having the capability to use those tools to reduce risk and close the operational space for adversaries. Respondents to the benchmark study believe they have the tools that will thwart attackers. But they also acknowledge that constraints such as a lack of manpower and poor product compatibility can render good tools much less effective than they’d hoped.
The sobering findings regarding the impact of breaches should provide security professionals with ample evidence of the need to improve processes and protocols. Faced with real and immediate effects like lost revenue and customers, organizations can no longer simply wish away gaps in security protection, because the question is not if a breach will happen, but when.
One takeaway from the benchmark study is that the constraints limiting agile and effective security will always be with us: There will never be as much budget and talent as security professionals believe they need. If we accept these constraints, then the idea of simplifying security and deploying automated solutions makes sense. Simplifying security also makes use of best-of-breed solutions and an integrated architecture. Organizations need the benefits of both approaches.