On Tuesday, AttackIQ and the Ponemon Institute released new research on the current state of cybersecurity strategies and investment in the enterprise realm.
The report, “The Cybersecurity Illusion: The Emperor Has No Clothes,” includes responses from 577 IT and IT security practitioners working for US enterprise companies and suggests that while security budgets are increasing, awareness around cybersecurity as a whole is not.
On average, enterprise firms are spending $18.4 million every year on cybersecurity and 58 percent are planning to increase this level of investment by up to 14 percent over the 2019 – 2020 period.
However, those surveyed admitted that after deployment, cybersecurity solutions monitoring is thin on the ground and a total of 53 percent have no idea how well the tools and software implemented in corporate networks are performing.
With 47 cybersecurity solution deployments reported as an average, it is no wonder that IT staff have a tough time tracking and monitoring each tool.
A lack of visibility can muddy the water when it comes to a return on investment (ROI) and, furthermore, can mask any existing security holes which remain unresolved despite the implementation of cybersecurity solutions.
Only 39 percent of survey respondents said that their organizations are receiving full value from their investments, but this in itself could indicate that monitoring and performance metrics are an issue when it comes to ROI.
Cybersecurity and IT staff included in the research also reported an interesting issue with false reports and inadequate barriers to their networks. In total, 63 percent said they have experienced a security control reporting a threat blocked when in reality, the tool failed to stop malicious behavior.
“When processes and solutions like this fail, many companies respond by throwing more money at the problem,” Larry Ponemon, founder and chairman of the Ponemon Institute commented. “Further security spending needs to be put on hold until enterprise IT and security leaders understand why their current investments are not able to detect and block all known adversary techniques, tactics, and procedures.”
The fog surrounding cybersecurity in enterprise networks also appears to be contributing to failures in preventing data breaches. In total, 58 percent of respondents said a lack of visibility is a reason data breaches still occur at their companies, and only 41 percent of IT professionals believe their teams are effective in finding and plugging security holes in corporate infrastructure.
When it comes to penetration testing, less than 60 percent of those surveyed said routine tests take place, and close to one-third have no set dates or schedules in place. In addition, less than half — 48 percent — of respondents said that a security validation (CSV) platform is used to monitor the security of their networks.
“Companies are spending far too much money on cybersecurity solutions without knowing if they are effective,” said Brett Galloway, AttackIQ CEO. “More than half of the experts surveyed admit they are in the dark about how well the technologies they have are working and if they’re truly effective, which is alarming considering companies are relying on these technologies to protect sensitive information including customer data.”