The world’s information security practitioners have given global cyber security readiness a “C-” average with an overall score of 70 per cent, according to a new report from Tenable Network Security.
The 2017 Global Cybersecurity Assurance Report Card comprises insights from 700 security practitioners in nine countries and across seven industry verticals, including retail, financial services, manufacturing, telecom, health care, education and government.
According to this year’s data, global cyber security confidence fell six points over 2016.
The overall decline in confidence is the result of a 12-point drop in the 2017 Risk Assessment Index, which measured the ability of respondents to assess cyber risk across 11 key components of the enterprise information technology (IT) landscape.
For the second straight year, practitioners cited the “overwhelming cyber threat environment” as the single biggest challenge facing IT security professionals today, followed closely by “low security awareness among employees” and “lack of network visibility”.
“Today’s network is constantly changing – mobile devices, cloud, IoT, web apps, containers, virtual machines – and the data indicate that a lot of organisations lack the visibility they need to feel confident in their security posture,” said Cris Thomas, strategist at Tenable Network Security.
“It’s pretty clear that newer technologies like DevOps and containers contributed to driving the overall score down, but the real story isn’t just one or two things that need improvement, it’s everything that needs improvement.”
Key global findings
- Cloud darkening: Cloud software as a service (SaaS) and infrastructure as a service (IaaS) were two of the lowest scoring Risk Assessment areas in the 2016 report. SaaS and IaaS were combined with platform as a service (PaaS) for the 2017 survey and the new “cloud environments” components scored 60 per cent (D-), a seven point drop compared to last year’s average for IaaS and SaaS.
- A mobile morass: Identified alongside IaaS and SaaS in last year’s report as one of the biggest enterprise security weaknesses, Risk Assessment for mobile devices dropped eight points from 65 per cent (D) to 57 per cent (F).
- New challenges emerge: Two new IT components were introduced for 2017 – containerisation platforms and DevOps environments.
According to Tenable, DevOps is transforming the way software teams collaborate through increased consistency and automation, however this also introduces new security concerns. In fact, respondents reported just 57 per cent confidence in the ability to assess security during the DevOps process.
At the same time, adoption of containerisation technologies like Docker is rapidly increasing, as organisations look to accelerate innovation cycles and reduce time-to-market. However, only 52 per cent of respondents felt that their organisation had a handle on how best to assess risks within container environments.
Overall cybersecurity assurance report cards by country
- India: B (84 per cent)
- United States: C+ (78 per cent)
- Canada: C (75 per cent)
- France: C (74 per cent)
- Australia: C- (71 per cent)
- United Kingdom: D (66 per cent)
- Singapore: D (64 per cent)
- Germany: D- (62 per cent)
- Japan: F (48 per cent)
Overall cybersecurity assurance report cards by industry
- Retail: C (76 per cent)
- Financial services: C- (72 per cent)
- Manufacturing: C- (72 per cent)
- Telecom: C- (70 per cent)
- Health care: D (65 per cent)
- Education: D (64 per cent)
- Government: D (63 per cent)
Australia is the only country to achieve a higher overall score in this year’s report. Although its Risk Assessment score dropped five points to 64 per cent (D), its Security Assurance score rose to 78 per cent (C+) – the most improved score of any country or industry.
“The research would indicate that while Australian security practitioners have made some progress this year in their overall risk and compliance initiatives, the research shows that there are critical gaps in assessing DevOps environments, physical servers in datacentres and mobile devices.