Ponemon Study: Only 28 Percent of Enterprises Say CEO and Board Approves Acceptable Level of Cyber Risk, Demonstrating Clear Lack of Accountability

SAN DIEGO--()--AttackIQ, the largest independent leader of the continuous security validation market, today released a report based on Ponemon Institute research evaluating accountability for ensuring the effectiveness and efficiency of security practices, technologies, and controls within enterprises. Ponemon surveyed 577 IT and IT security practitioners in the United States who are knowledgeable about their organizations’ IT security strategy, tactics, and technology investments. The results of this report demonstrate a clear lack of accountability, especially on the board and among C-suite executives, and a lack of confidence in determining the efficacy of security technologies.

“Enterprise culture is formed at the top. If enterprise leaders are not actively engaged in ensuring a strong cybersecurity posture, it sends the message that cybersecurity is not a mission critical issue,” said Larry Ponemon, founder and chairman of Ponemon Institute. “The board of directors and C-suite typically come under fire when their organization suffers a data breach or other security incident, and therefore must be involved in enforcing a proactive approach to identifying and remediating security gaps. While most companies have an executive tasked with accurately determining the efficacy of their cybersecurity strategy, they need to be communicating these findings to senior leaders and the board on a regular basis.”

According to the findings, the board of directors and senior leadership are not actively engaged in ensuring the effectiveness of their organization’s security strategy. Key data points include:

  • 63 percent of survey respondents say their IT security leadership does not report to the board on a regular basis, and 40 percent say they don’t report to the board at all
  • 14 percent of respondents say their IT security leadership only reports to the board following a security incident
  • Only 28 percent of respondents say the board and CEO determines and/or approves the acceptable level of cyber risk for the organization
  • Only 21 percent of respondents say their board and CEO require cybersecurity due diligence in a merger and acquisition process, a critical step to minimizing the potential risk

Most organizations do not take a proactive approach to security and acknowledge that their IT security infrastructure has gaps in coverage, allowing attackers to penetrate defenses. They are in need of better monitoring tools that will improve their ability to communicate the effectiveness of their security infrastructure to the board and C-suite. Key data points include:

  • 69 percent of respondents say their organization’s security approach is reactive and incident driven
  • 63 percent of respondents say their IT security leadership needs better monitoring tools to improve their ability to communicate the effectiveness of security infrastructure and potential gaps to the C-suite and board
  • 56 percent of respondents say their IT security infrastructure has gaps in coverage that allow attackers to penetrate its defenses

Most organizations do not have a mature program for measuring their IT security posture, and even among those that do, many do not report these findings to the board. Respondents cited a lack of appropriate monitoring tools that generate adequate and accurate information on IT security posture as a primary reason for failing to report to the board. Key data points include:

  • Only 24 percent of respondents say they have a mature measurement and metrics program, and 30 percent say they have a partial metrics program
  • 40 percent of respondents say they do not quantify and track the company’s IT security posture at all
  • Of the respondents who have either a mature or partial measurement program, only 39 percent report the findings to the board

“Data breaches and other security incidents continue to plague enterprises, shining a light on the need for companies to shift to a proactive approach to ensuring a strong security posture,” said Brett Galloway, CEO of AttackIQ. “From this research, we know that almost half of companies don’t quantify and track their IT security posture at all, completely crippling their ability to confidently identify and remediate security gaps. AttackIQ not only allows organizations to systematically test the efficacy of their security programs and address any weaknesses in coverage or configurations but also to demonstrate improvement to cybersecurity posture over time. Senior leaders, including CEOs and board members, need accurate and comprehensive data in order to determine acceptable cyber risk levels and ensure their organization is positioned to prevent disruption to critical infrastructure.”

The MITRE ATT&CK framework1 acts as a playbook for the cybersecurity industry, offering a vast knowledge base that allows organizations to clearly see the steps of complex attacks and what procedures are linked to a specific adversary behavior. This cybersecurity lexicon levels the playing field for security teams, letting analysts and purple teams see specific trends between attacks and adversary styles. It allows security executives to think systematically about the adversary environment in which they must establish a security program and to determine if security dollar spend is effective in preventing or detecting all known attacker behaviors. With the broadest implementation of the ATT&CK framework, AttackIQ provides enterprises of all sizes the ability to automate the assessment of their cyber readiness.

“The MITRE ATT&CK framework helps AttackIQ users to prioritize their cybersecurity toolchain assessments based on the most applicable and salient TTPs,” said Jack Poller, Senior Analyst at ESG. “ESG validated that using AttackIQ’s continuous validation methodology, organizations can assess current toolchain effectiveness and can easily identify regressions and track improvements over time.”

To see this Ponemon research data, download AttackIQ’s report, “The Cybersecurity Illusion: Enterprise Security Remains Reactive,” here: https://go.attackiq.com/PONEMON-2-REPORT-DOWNLOAD-LP-PR.html

Istvan Berko, Director, Security Services & Solutions of NTT; David London, Senior Director of Chertoff Group; and Rick McElroy, Principal Security Strategist of Carbon Black, will discuss the findings of this report and key takeaways for enterprise security in a live webinar on Thursday, October 31 at 10 a.m. PT. To register to attend the webinar, please visit: https://go.attackiq.com/Ponemon-2-Live-Webinar_LP-PR.html

Methodology

Sponsored by AttackIQ, Ponemon Institute surveyed 577 IT and IT security practitioners in the United States who are knowledgeable about their organization’s IT security strategy and tactics. More than half of respondents (58 percent) are at or above the supervisory levels.

About AttackIQ

AttackIQ, a leader in the emerging market of continuous security validation, built the industry’s first platform that enables red and blue teams to test and measure the effectiveness of their security controls and staff. With an open platform, AttackIQ supports the MITRE ATT&CK framework, a curated knowledge base and model for cyber adversary behavior used for planning security improvements and verifying defenses work as expected. AttackIQ’s platform is trusted by leading companies around the world. For more information visit www.attackiq.com. Follow AttackIQ on Twitter, Facebook, LinkedIn, Vimeo, and YouTube.


1 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. More information available at https://attack.mitre.org/

Contacts

AttackIQ Media Contact
Emily Ashley
PR for AttackIQ
attackiq@10fold.com
916-710-0950

Release Summary

Ponemon Institute report demonstrates a lack of accountability, especially on the board and among C-suite executives

Social Media Profiles

Contacts

AttackIQ Media Contact
Emily Ashley
PR for AttackIQ
attackiq@10fold.com
916-710-0950