It’s a tough time to work in cybersecurity right now. On the one hand, companies desperately need security professionals to help defend against a growing myriad of attacks against the cloud. But security pros say companies aren’t taking the threat seriously enough.
How do we explain such a discrepancy?
Lacework recently partnered with global research and strategy firm ClearPath Strategies to survey more than 700 executives and practitioners within the security, DevOps, and developer areas, and across the SMB, mid-market, and enterprise spaces.
The survey found that while companies view cloud security as increasingly important, that concern has necessarily translated into effective policy. Nearly 80% of respondents expressed misgivings (overwhelmed, uncertain, lack of control, etc.) over their organization’s current security posture.
“The leadership definitely says security is important, but the problem is it’s not really implemented in most companies,” said one infosec director who works in the online food industry. “Security is talked about, but there is no money for security and really no people, so it’s kind of a mute point.”
The report’s findings offer some suggestions on how to narrow the gap between what companies say and what actually happens on the ground.
First, the board of directors, not just top executives and mid-level managers, must recognize the strategic importance of securing data. Boards not only supervise CEOs but also set the company’s priorities.
But the report found on a scale of 1-5, only 24% of companies ranked “Our data strategy is discussed at the board level” a 5. Even in era of increased cyberattacks from criminals, terrorists, and state actors, the finding suggest boards rarely address the issue at all.
Second, companies should embrace automation to relieve stress on overworked security professionals. Our survey found that a majority (55%) of respondents believe at least half of the time they spend on security issues is “not meaningful” (i.e., “wasted”). This includes 26% who believe only a quarter or less of their time on security issues is time meaningfully spent.
One reason is that security professionals are constantly chasing alerts that turn out to be nothing. 80% of respondents say at least 1-in-5 critical alerts are a false positive, while 33% of all companies say at least half of critical alerts are false positives.
Using automation technology like the Polygraph Data Platform to weed out false positives could enable security and development teams to focus on more productive and meaningful duties like innovation and fighting real threats.
“We try to automate pretty much everything because we have an extremely small team, so the only way to scale is through automation,” said an infosec director for a Fortune 500 company.
Our survey ultimately suggests that through a combination of technology and corporate policy, companies must fundamentally change the way they see data security.
Companies are increasingly moving data to the cloud, which presents opportunities for criminals and bad actors to strike.
But rather than merely respond to each attack and alert, companies must proactively incorporate security into products from the start. And that requires a level of corporation and collaboration between security and development teams that have not always existed.
As a result, innovation suffers and companies fall behind competitors.
Our research found that 45% of respondents agree their “security and compliance struggle to keep pace with our business needs.” Companies want to accelerate developer velocity but have paid too little attention to ensuring security velocity keeps pace.
Embracing automation and good corporate policy could go a long way to solving these problems.
Article Link: ClearPath report shows automation and good policy can help beleaguered security professionals - Lacework