The financial services industry dropped to second in the Tenable Network Security annual cybersecurity scorecard, which also revealed risk assessment for cloud and mobile among the world’s biggest enterprise security weaknesses.
Columbia, Md.-based Tenable’s 2017 Global Cybersecurity Assurance Report Card surveyed more than 700 IT security practitioners in nine countries and across seven industry verticals to calculate a global index score reflecting overall confidence that cyberdefenses are meeting expectations. The overall result for all surveyed: 70%, an unremarkable C.
“Today’s network is constantly changing, mobile devices, cloud, IoT, web apps, containers, virtual machines, and the data indicates that a lot of organizations lack the visibility they need to feel confident in their security posture,” Cris Thomas, strategist, Tenable Network Security, said. “It’s pretty clear that newer technologies like DevOps and containers contributed to driving the overall score down, but the real story isn’t just one or two things that need improvement, it’s that everything needs improvement.”
Retail took the lead this year from financial services and telecom, which in 2016 tied for first place among industries surveyed with an overall report card score of 81% (B-). This year, six of the seven overall industry scores fell, with telecom experiencing the most significant drop, down 11 points to 70% (C-) followed closely by financial services, down nine points to 72% (C-).
The single biggest drop in risk assessment this year is web applications, which fell 18 points from 80% (B-) in 2016 to 62% (D-) in 2017. The ability to access these services online and from mobile phones puts them right at users’ fingertips, but also creates new security challenges. “If application-centric security is the future, we have a long way to go,” the scorecard report said.
The assurance reports card revealed the constantly evolving and multiplying threat landscape — cited for the second year in a row as the number one challenge for security pros — heightened technological complexity and creating even more opportunity for attackers to exploit gaps in security coverage. This leaves all organizations vulnerable to compromise and breach, regardless of the size of their security investments.
The report found accelerated adoption of cloud and mobile computing, combined with the emergence of DevOps, where software teams collaborate through increased consistency and automation practices, and containerization platforms, virtualization methods used to accelerate innovation cycles and reduce time-to-market, increased the complexity and decentralization of enterprise IT. This makes it harder for security teams to see everything on their networks and accurately assess cyberrisks.
Additional concerns centered on low-security awareness among employees and the lack of network visibility, particularly in the use of bring-your-own-devices and shadow IT, technology used inside organizations without explicit authorization.
The U.S. grade dropped from a B- in 2016 to a C+, indicating less confidence when it comes to cybersecurity assurance. Although the overall score in the U.S. dropped by two points, it is still well above the 70% global average. When it comes to security assurance in the U.S., the highest grades achieved were for measuring security effectiveness (A-) and conveying risks to executives and the board (B+). However, the U.S. showed poor performance when it comes to being able to assess the risk of newer technologies such as containerization platforms (F), and DevOps (D) and IT security pros admit they still don’t have a handle on managing the risks associated with mobile devices (D).
Other key global findings:
- Cloud software as a service and infrastructure as a service were two of the lowest scoring risk assessment areas in the 2016 report. For the 2017 survey those new cloud environments, combined with platform as a service component, scored 60% (D-), a seven-point drop compared to last year’s average for IaaS and SaaS.
- Risk assessment for mobile devices, identified alongside IaaS and SaaS in last year’s report as one of the biggest enterprise security weaknesses, dropped eight points from 65% (D) to 57% (F).