New research from Netenrich has found that 83% of companies suffer incapacitating business damage if they are down for 24 hours or more. Recent surges of ransomware and other attacks are creating tremendous business risk, yet security resources remain modest at around 30% of IT budgets. The disconnect between business risk and resources continues, as most security teams’ resources have received increases of less than 10% since employees began to work from home regardless of the growing attack surface and threat vectors.
When security professionals are asked how they are trying to improve their company’s security posture, the top answer is upgrading tools (67%), an effort which they also report is being thwarted by integration difficulties, lack of expertise, and an overwhelming surplus of available tools. However, only 35% plan to hire more experienced staff to bring in expertise and grow the team. This low resource rate is compounding the reliance on tools and disproportionately consuming key personnel’s time with its maintenance.
Given the new threats, it’s surprising that a majority of security teams are trapped doing the same thing they have been doing for years: adding even more tools and needing more resources to manage them. However, when asked what security professionals actually want to do, the top answer is risk management, followed by incident analysis and threat modeling. This indicates a philosophical shift from reactive tools to a proactive risk-based approach. This report finds 68% of companies prioritize threats according to potential cost to the business, and the impact they fear most is loss of data and negatively affecting customer relationships.
Security professionals state that threat modeling specifically enables a proactive approach by evaluating business risk from understanding the likelihood of attack success and mapping that potential breach to actual business cost. This risk-based approach prioritizes security defenses around the most likely, most impactful attack vectors. Unfortunately, this research finds that less than 40% of companies perform threat modeling today, and only 30% practice external attack surface management.
With security team resources growing slowly and consumed by patching, updates, and tool upgrades, combined with a lack of expertise, it’s not surprising that 47% of companies utilize managed service providers (MSPs) today. But with extra resources available, it’s disappointing to find that only 17% of the MSPs are being employed to perform threat modeling.
Security professionals know that they are being reactive and acknowledge that repeating the same security methods will not secure their company from growing and evolving attack risks. However, they cannot escape numerous mundane and low-value tasks siphoning their time. Looking to MSPs is a solid strategy that can free teams up to be proactive, focus more on risk management and threat modeling, and initiate the change to a proactive risk-based security approach.
Read the full report by Netenrich.
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more
Source: Read Full Article