Cyber-security professionals have become more skeptical of the security of their companies computer systems and data due to a lack of confidence in their ability to secure the cloud and the “overwhelming cyber-threat environment,” according to a study published by network security company Tenable on Dec. 5.
The study, the 2017 Global Cybersecurity Assurance Report Card, is a survey of 700 cyber-security operations professionals, which found that workers had the least confidence in their ability to assess the risks to cloud infrastructure and Web applications. The overall score for risk assessment fell to 61 percent, down from 73 percent in the previous year’s study.
There was no improvement in any of the 11 risk assessment scores that measured security professionals’ confidence in their ability to detect threats, Cris Thomas, strategist for Tenable Network Security, told eWEEK.
“I hoped we would see things improve a bit, but that did not happen,” he said. “Almost all the scores across the board—the grades—went down, and I was very surprised to see that this year.”
Tenable’s Global Cybersecurity Assurance Report Card, now in its second year, is based on a survey of attitudes and beliefs of cyber-security professionals. The risk assessment component is a single question asking security workers to rate on a 5-point scale their companies “ability to assess risk” in 11 different areas, including cloud environments, containerization platforms, virtual data centers, desktop computers, mobile devices and web applications.
A second score, the security assurance score, is made of a similar ranking of six broad questions, such as whether the company has the tools to accurately measure the benefit of security investments or the ability to aggregate and analyze real-time intelligence. Security workers’ confidence in their company’s continued commitment to investing in security remained the same year-to-year, at 79 percent.
The worst area for cyber-security was the landscape of threats, but low security awareness of employees and a lack of visibility into the state of their networks and devices also left professionals unsure.
Yet, security workers seem hopeful that technology or training will make cyber-security more achievable in the future. Nearly two-thirds of the professionals surveyed were more optimistic about their organization’s ability to defend against a cyber-attack. Less than 10 percent were more pessimistic.
“As a defender that is important,” Thomas said. “If we had bad grades and we were pessimistic, that would be really bad.”
Professionals in nine countries were surveyed as part of the study. Companies in India, the United States and Canada had the best overall scores while Japan and Germany were at the bottom of the list of countries.
Surprisingly, the retail industry scored the best on the combination of the two scores, with a 76 percent, while the government and education sectors had the worst average, with a 63 percent and 64 percent, respectively.
The biggest drop in risk assessment confidence happened with regards to web applications. Last year, security professionals scored an 80 percent in their ability to detect risks to web applications, but this year, the score dropped to 62 percent.