The Continual Contradictions of Securing an Enterprise

It’s no secret that cyber threats continue to grow and CISOs are asked to spin more plates in their quest to prevent major and minor disasters. It’s not a job for the faint of heart, so we thought we’d check-in with senior-level security executives to understand where they’re at now⎯where do they feel they’ve made progress? What are they worried about? Where will they continue to focus investment? 

Push me pull you

In February, we undertook a survey of this brave breed, gathering input from a cross-sector representation within the US and the UK, from companies of varying size although mostly at the enterprise level. Conjuring up visions of Dr. Doolittle’s Pushmi-Pullyu, we learned that competing tensions drag senior security executives one way and then another, creating a web of contradictions that ripple across the security manager’s domain: Finite budgets but increasingly complex threats. Fast-growing, highly interdependent, but vulnerable value chains. The obligation to sustain old standby tools like antivirus despite the fact that respondents know it has limited effectiveness. And finally, organizations facing increasing volumes of files and documents traversing their networks, while still asking employees to act as a last line of defense. These incongruities present security leadership with a mesh of continually competing interests, opportunities and tensions from across the business. Even the best strategies will still have inherent risks.

As just a few highlights from our study show, concerns about email risks from 3rd parties top the list of potential security vulnerabilities we tested – that includes both email with attached documents and email that may include dangerous links. More than 40% of respondents recognize that employees remain susceptible to phishing attacks and engage in risky behaviors. At the same time, 85 percent are completely or mostly reliant on employees as their last line of defense. Only 9% of respondents expressed complete confidence in their antivirus solutions. And yet, despite the low confidence, 96% said they continue to invest in antivirus products.

Our research validates an industry issue that has been discussed for a long time behind closed doors – those in charge of security are caught in a web of contradictions, a repetitive cycle of codependence between the weakest links and the strongest assets. After hearing from top security leaders, it’s clear the security industry needs to have an honest discussion about what’s not working, and collectively reset the security standard to which all organizations must align. We invite you to download a copy of the full report here.