IT Security Decision Makers Struggle to Implement Strategies

In a context of increasingly complex threats and major changes in the way organizations operate, IT security decision makers are struggling to cope with rising risks, especially when it comes to securing the access and defend against identity attacks.

These were among the results of a global survey of 2,100 IT security decision makers conducted by Sapio Research on behalf of security firm Delinea.

The survey revealed that more than 80% of organizations experienced an identity-related security breach in the last 18 months.

Related: Cybersecurity in 2022: Top Stories so far

The research also found that while identity security is a priority for security teams, nearly two-thirds of respondents said they believe leaders don’t understand its importance.

“The good news we found is that many organizations are realizing the importance of protecting identities,” said Joseph Carson, chief security scientist and advisory CISO at Delinea. “However, they need to take action and accelerate the journey towards protecting against identity-based cyberattacks.”

Closing security gaps

While many organizations are well on their way to securing and reducing cyber risk to the business, the challenge is that there are still large security gaps that attackers can take advantage of, Carson said.

“That includes securing privileged identities,” he said. “An attacker only needs to find one privileged account.”

Some of the most significant impacts of identity breaches or attacks using stolen credentials include:

  • loss of sensitive data
  • financial costs per loss of activity
  • business downtime
  • damage to the brand and reputation of the company

While companies still have many unprotected privileged identities, such as application and machine identities, attackers will continue to exploit and affect business operations in exchange for a ransom payment, Carson said.

“The good news is that organizations are realizing the high priority of protecting privileged identities,” he added. “The sad news is that many privileged identities are still exposed because securing human privileged identities is not enough.”

The survey also revealed that 90% of respondents agree that identity security is important to achieving business goals, while 87% say they agree that securing identities is a top priority for the next 12 months.

However, just under 30% of respondents said they were running to meet demands, lacking the resources or budget to fully implement an agreed strategy.

At the same time, more than half of organizations surveyed said they had not implemented ongoing security policies and processes for access management, such as multi-factor authentication (MFA) or rotation or approving passwords, among other defense approaches.

Need for better communication between IT security decision makers and C-Suite

The security gap isn’t just widening between the business and attackers, but also between IT managers and business executives, according to Carson.

“Although in some industries it is improving, the problem still exists,” he said. “Until we solve the challenge of communicating the importance of cybersecurity to the board and the business, IT security decision makers will continue to struggle to secure the resources and budget to fill the gap. safety gap.”

From Carson’s perspective, that means there has to be a change in attitude at the C-suite level.

“To make this possible, communication between IT security managers and the C-suite must also evolve into communication that demonstrates the relationship between cybersecurity and business value,” he explained. “For too long we have focused on fear when discussing cybersecurity.”

Carson said the attitude needs to change to focus on business value and how cybersecurity actually helps the business succeed.

Until the communication between IT security managers and the C-suite evolves, the C-suite will continue to see cybersecurity simply as a checkbox approach or view cyber insurance as the way to cover the risks exposed to organization, he said.

“I think the issue here is entirely in communication, and communication of cybersecurity business risks is an area we need to focus on moving forward,” Carson said.

Comments are closed.