Interviews with 1,967 professionals at the recent Cisco Live and Black Hat USA conferences found that more than 75 percent of network management and security professionals believe that automated tools give hackers the upper hand in evading the defensive systems utilized by most enterprises to protect their critical assets and data.
Further compounding the issue, a vast majority of those IT pros surveyed reported that their employers – for the most part large organizations – cannot maintain necessary layered defenses based on their inability to determine where gaps in those systems exist.
Among the finidings:
- Over 71 percent of respondents admitted that their networks are exposed to external threats due to misconfiguration issues present in their security device infrastructure.
- More than 50 percent had no idea how many of their organizations' internal hosts were actually exposed to the Internet.
- Roughly 52 percent conceded that their vulnerability management initiatives don't allow them to prioritize remediation based on the likelihood of real-world attacks.
And while many security regulations and industry leaders have recommended for years that enterprises adopt a more metrics-driven approach toward measuring the effectiveness of security infrastructure, only 47 percent of respondents said that their employers do so today.
"More surprising than the overwhelming perception among today's professionals that hackers have the upper hand, based on attack automation and gaps in enterprise defense, is that so few have access to metrics that demonstrate how well security infrastructure is working," said David Gehringer, Senior Research Analyst for Dimensional Research. "The numbers bear out that there's genuine concern among practitioners that they lack the tools and information needed to stop the threats that their organizations face."
Other key findings include:
- Some 86 percent of energy company employees believe hackers have more advanced automated tools, followed by 84 percent of government workers, 79 percent of telecommunications staffers, 71 percent of healthcare practitioners and 70 percent of financial services professionals, respectively.
- 51 percent of chief information security officers said they don't believe, or don't know that vulnerability assessment tools provide enough information to identify their most important security exposures.
- Some 56 percent of CISOs said they either don't have effective metrics to measure security effectiveness or don't know if those metrics even exist; 55 percent of network management officials made the same admissions.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.