Industry litmus tests are always open to interpretation and the Cisco 2016 Annual Security Report is certainly no different. The press were quick to swallow the line that the report revealed “a lack of confidence in security” and a “decline in defender confidence” but is this really an accurate interpretation? I would argue that the survey actually paints a more promising picture in that it shows businesses are now more aware of their vulnerabilities and realistic about their ability to fend off attacks.
The survey found under half (45 percent) of respondents were confident in their “ability to determine the scope of a network compromise and remediate damage”. In my book, that’s recognition that despite having adequate security measures in place, the organisation feels ill-equipped to carry out the threat detection, forensics and response plan needed to maintain business as usual (BAU). Yet those executives aren’t shirking their responsibility: an overwhelming 92 percent believed regulators and investors expect the organisation to manage the cyber security risk posture. That tells me that those executives, particularly the C-suite, are now stepping up to the mark and looking for help in countering these attacks.
Equally, there was a more realistic appraisal of infrastructure and its capabilities to withstand an attack. Those claiming their systems were ‘up to date’ dropped by 10 percent over the course of the previous year. Of course, nobody is condoning a failure to regularly patch systems but the fact is that those executives were aware of the state of health of their infrastructure, and that indicates an awareness previously lacking.
What the survey is really telling us is that senior management are onboard, aware of, and eager to counter cyber threats but they’re being hamstrung by a lack of resource.
So what are senior execs doing to overcome this frustrating situation? The survey reveals they’re recognising the need for specialist skills to counter organised attacks. The practice of outsourcing security services is up 23 percent compared to 14 percent in 2014 across the board by both large and small enterprises. And it’s a practice that’s liable to continue to grow with John Stewart from Cisco warning that businesses shouldn’t be tempted to take on “more technical debt”, or point solutions, in a bid to fight these threats.
The Cisco survey also exposed some interesting attack vectors, from an increase in browser-based attacks, to ransomware, and DNS malware. The latter continues to thrive due to the structural peculiarities of business, with DNS staff often not coming into contact with security staff who tend to work on other teams. Again, this is the kind of anomaly that an external consultancy would be quick to pick up, appraise and correct.
Finally, the report ends with a note of caution: expect more complexity. As digitalisation continues apace, with the addition of IoT and a greater dependency on virtualised environments, security is also in danger of becoming more fragmented so we must consider resiliency going forward. That type of complexity can only mean an increase in demand for specialist cyber skills, making Managed Security Services (MSS) a must in the future.