The report additionally finds that 63 percent of IT security staff do not report to the board about cybersecurity issues on a regular basis. Furthermore, a sizeable number do not report to the board at all. This low profile for IT within many enterprises is bound up with cybersecurity weaknesses. The report is titled: “The Cybersecurity Illusion: Enterprise Security Remains Reactive.”
This new report follows earlier Ponemon Institute research released July 30, 2019 (“The Cybersecurity Illusion: The Emperor Has No Clothes“), which found that enterprises are spending $18.4 million (mean figure) every year on cybersecurity investments. However, 53 percent report that they have no real idea whether the tools they are deploying are effective. Breaches continue to happen at an high rate since only 41 percent of companies can accurately identify their own cybersecurity gaps and fix them, and the board of directors and senior leaders are not engaged in ensuring their organization’s security strategy.
The earlier study also found that that 63 percent of respondents said they have observed a security control reporting it blocked an attack when it actually failed to do so. In addition, just 39 percent of respondents say they are getting full value from their security investments.
To address the weaknesses, the new report recommends that enterprises assign accountability to one function for the validation of the effectiveness and efficiency of the organization’s strategy, technologies, and controls with a direct reporting relationship to senior leadership.
The report also recommends that companies invest in technologies that provide greater visibility into the IT security infrastructure to identify gaps in coverage and vulnerabilities. Furthermore, IT departments should understand how best to communicate the state of the organization’s security posture to the board of directors and CEO and there needs to be a regular schedule for meeting with the board and senior leadership, perhaps via a board-level cybersecurity committee that participates in determining an acceptable risk level.
