Reasonable doubt: Only 17% of CISOs believe their stack is "completely effective" against attacks

An overabundance of confidence can lead to blind spots, but a Nominet report finds widespread doubt in organizations' security posture.

Top 5 additional ways to fend off ransomware In 2019, 23 city governments in Texas experienced a coordinated ransomware attack. Tom Merritt explains how they defended themselves and ways you can protect your own business.

There's a substantial gulf in confidence between security vendors and CISOs—with vendors, if something goes wrong, the sale is already made, though a catastrophic event could result in a contract non-renewal or legal action. For the CISO, circumstances are more personal, as their own job is on the line.

Nominet's 2019 Cyber Confidence Report, published Tuesday, found that only 34% of the 300 CISOs surveyed were "somewhat or slightly confident" in the organization's choice of security solutions, with only 17% indicating that "the array of technology making up their security stack was completely effective." 

SEE: How to become a cybersecurity pro: A cheat sheet (free PDF) (TechRepublic)

Notably, Nominet found higher confidence among respondents from the US than in the UK, when asking how confident CISOs are that their organization "has chosen the right/best one," at 37% versus 22%.

Across all industries, industry bodies are the least trusted source of cybersecurity advice, with only 34% seeking their counsel for purchasing decisions. Surprisingly, vendors and consultants were tied at 53%, with consultants closely following at 52%. Nominet notes that these circumstances are reversed with government buyers, seeking advice from industry bodies first, and security vendors last. 

Among sources of doubt, 49% cited the increasing sophistication of security threats, a factor that is outside the direct control of organizations. Of controllable factors, insufficient staff training was the most frequently cited (41%), followed by a lack of funding (34%), insufficient staffing (31%), and a lack of support from the board (29%). 

"In many cases security teams have been left scrambling as new generations of increasingly sophisticated cyber attacks have disrupted the operations of the largest of businesses. The prevailing attitude to emerge is not one of confidence: around half of CEOs, for example, think that the likelihood of their organization becoming a victim of a cyber attack is a case of 'when', and not 'if'," the report states.

"It's therefore not surprising that as of 2019, many cyber security professionals in the UK and the US have mixed feelings about the state of their security posture. Confidence in the technology is there, but so too is a nagging doubt that they do not have the best on offer. Meanwhile, few businesses can claim to have complete confidence in their overall security posture."

Recent headline-generating attacks, particularly in the public sector with city and municipal governments falling victim to targeted ransomware attacks, and over 500 schools hit by ransomware thus far in 2019, is likely to cause concern among CISOs. With ransomware attacks becoming larger and more sophisticated, apprehension toward declaring a network as completely secure should be read as an application of philosophic doubt—the rise of new attacks may render current solutions ineffective, though predicting this requires a crystal ball. Constant vigilance is, therefore, required.

Also see

Skeptical senior businessman standing in boardroom

Image: Getty Images/iStockphoto