03:20 PM
Connect Directly

Cybersecurity Readiness Confidence Declined In 2016

New report querying security pros shows increase in worry about risks with mobile and cloud environments.

The confidence of security practitioners in global cybersecurity readiness fell slightly in 2016, according to a new report out today by CyberEdge Group and Tenable.

The 2017 Global Cybersecurity Assurance Report Card took a temperature-check from 700 security professionals about a number of key indicators to come up with a global index score to reflect their ability to assess cyber risks and their ability to mitigate threats. The study showed that the index fell six points in the last year to an overall "C-" score of 70%.

A big part of that drop came on the back of a 12-point decline in risk assessment capabilities. As a part of the assurance report, security practitioners were asked about their risk assessment capabilities in 11 key areas, including cloud environments, endpoints, and Web servers. Most areas achieved no better than mediocre scores, with the worst performances in emerging categories like containerization and DevOps environments, which received failing grades.

"Today’s network is constantly changing — mobile devices, cloud, IoT, Web apps, containers, virtual machines — and the data indicate that a lot of organizations lack the visibility they need to feel confident in their security posture," says Cris Thomas, strategist, Tenable Network Security. "It's pretty clear that newer technologies like DevOps and containers contributed to driving the overall score down, but the real story isn’t just one or two things that need improvement, it’s that everything needs improvement."

For example, despite years of lead time on the cloud front, many organizations are still struggling to assess cloud risks, according to the report. When it comes to the confidence in their organizations' abilities to assess risks in SaaS, IaaS, and PaaS environments, respondents gave an average D- score of 60%, down seven points compared to last year's confidence in cloud security. Similarly, confidence in mobile device risk assessment fell eight points, to a failing grade of 57%.

Respondents were also asked about the biggest challenges impacting their readiness. The two biggest challenges they cited: the overwhelming cyber threat environment and low security awareness of employees.

Even so, security practitioners were rosy about the ability of their organization to improve scores. When asked about whether they are optimistic or pessimistic about their organization's ability to protect against attacks this year compared to last year, nearly 65% say they were somewhat or significantly optimistic.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/5/2016 | 4:41:52 PM
No Surprise - Next Steps?
I read these reports in full typically before I comment, but in terms of the drop I don't think anyone didn't see that coming with the massive shift to cloud computing for huge numbers of applications, the explosion of mobile computing companies and decentralization of IT resources (end user devices and servers). 

What was really telling was the change in my industry, Healthcare.  We have really got to get that one to the top of the grading system - anything less than an "A" is not acceptable when it comes to finances and healthcare privacy.

Now it's all about next steps, and here's to those being concrete, doable action items rather than more frilly process changes, pie-in-the-sky, big picture fantasies...
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-09-25
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The at...
PUBLISHED: 2018-09-25
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming larg...
PUBLISHED: 2018-09-24
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exist...
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists wit...
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S8 G950FXXU1AQL5. User interaction is required to exploit this vulnerability in that the target must have their cellular radios enabled. The specific flaw exists within the handling of ...