SUNNYVALE, Calif. – Cybersecurity experts in the U.S. and the U.K. warn the convergence of an ever-more-sophisticated threat landscape and cybersecurity ill-preparedness are hurtling information security toward the perfect cyberstorm.

Cyber-risk consultancy RedSeal surveyed 600 U.S. and U.K. chief information security officers and senior information technology decisionmakers about the biggest security challenges they face. Across the board, four areas emerged as weak spots in the cybersecurity chain.

Sophisticated, rapidly evolving threat landscape

The burgeoning threat volume and complexity is outpacing security teams’ capabilities. More than half (54 percent) of senior cybersecurity professionals think the threat landscape is evolving far faster than their organization can respond. Specifically:

54 percent reported they don’t have the tools and resources they need.
55 percent can’t react quickly enough to limit damage in the event of a major security incident.
79 percent said their organization can’t access insights to prioritize their response to an incident.

Only one in five (20 percent) are extremely confident their organization will continue running as usual upon discovery of a cyberattack or breach.

Pervasive lack of preparation

RedSeal’s 2017 Resilience Report found only 25 percent of respondents’ organizations test their cybersecurity response to a major incident annually, if they test at all. The research also found a strong correlation: As time since the last test increases, executives’ confidence in the plan decreases.

On average, organizations reported the most recent blueprint, model or map of their entire network is nine months old. This means pathways through their constantly changing network – and access to their most valuable assets – are neither confirmed to be secure nor clearly known at all.

Fifty-five percent of cybersecurity executives conceded they don’t test their strategies frequently enough because the process is resource intensive (29 percent), outside their budget (27 percent) or takes too much time (26 percent).

Dangerous gap between perceived and true detection times

Once a network is compromised, a cyberattack festers until it’s detected and resolved. Alarmingly, the RedSeal Resilience report revealed an industry-wide discrepancy between how long it takes from when an organization’s network is compromised to when security personnel become aware of the event.

Perception: When ranking their capabilities, cyber pros voted “detection” as their strongest area (40 percent), with respondents reporting it takes an average of six hours to discover an incident.

Reality: Other studies of the same “time-to-detect” report drastically different times:
24 hours (2017 SANS Incident Response Survey).
49 days (2017 Trustwave Global Security Report).
99 days (Mandiant’s M-Trends 2017 Report).

Despite detection being considered the security teams’ greatest strength, companies are struggling and not fully informed. For example, the Sonic Drive-In fast-food chain didn’t know it had been hacked until its credit card processor informed the security team of unusual activity. Sonic acknowledged the breach — which compromised more than five million credit cards — 11 days after the first batch of cards were uploaded for sale.

Compliance, not strategy, drives security planning

Given the massive financial impact of breaches, cyber strategy should be the C-Suite’s priority. However, 97 percent of respondents reported external regulations play a major role in their cybersecurity and resilience planning and implementation. Only 27 percent are completely confident their IT systems can support the regulations.

“Having any one of these four areas — resources, preparation, detection and overarching strategy — in crisis is dangerous. Combined, they’re the harbinger of security disaster,” said RedSeal Chief Executive Officer Ray Rothrock. “This report underscores the urgency for the leaders of cyber strategy to pivot and aggressively pursue resilience, the ability to maintain business as usual while navigating an attack, as the new gold standard. Being prepared is the best defense.”