Tool Overload, Asset Blindness and Misplaced Confidence in Controls Cited as Key Security Challenges, According to Panaseer 2022 Security Leaders Peer Report

LONDON and NEW YORK, Nov. 30: Control failures are behind a growing number of security incidents at large organisations, according to the Panaseer 2022 Security Leaders Peer Report. Data from an external survey of 1,200 enterprise security leaders also reveals that an increase in tools and manual reporting combined with control failures are contributing to the success of threats such as ransomware, which costs organisations an average of $1.85 million in recovery. Panaseer, an enterprise security company, developed the report to get insight into how the state of enterprise security has evolved in the last two years, following a global shift to new working models. Currently only 36% of security leaders feel very confident in their ability to prove controls were working as intended. This is despite 99% of respondents believing it's valuable to know that all controls are fully deployed and operating within policy, and cybersecurity control failures currently being listed as the top emerging risk in the latest Gartner, Inc. Emerging Risks Monitor Report. Attacks only succeed when they hit systems that haven't been patched or don't have security controls monitoring them. The vast majority (82%) of security leaders have been surprised by a security event, incident, or breach that evaded a control(s) thought to be in place. It takes multiple control failures for an attack to be successful. In their experience, the respondents stated that it took an average of five or more control failures for an event, incident or breach to succeed. The report also confirmed that only 40% of security leaders can confidently understand and remediate underperforming controls and track improvement. Over half (60%) of the security leaders lack strong confidence in their ability to continuously measure security controls that mitigate the infiltration, propagation, and exploitation of a successful ransomware attack. The rise in threats and shift to cloud-enabled remote working has increased the number of security tools used by large enterprises. On average, enterprise security teams are grappling to manage 76 discrete security tools, a significant jump from 2019 when the average was 64.* An increase in tools can also increase reporting requirements. According to the report, security teams spend more than half their time (54%) manually producing reports for the Board, regulators and auditors. This is an increase of over a third from 2019 when security teams spent on average 40%* of their time manually producing reports. The main tasks involved in manual reporting include: extracting data, moving data, cleaning data, merging data, making calculations and formatting and presenting data. Databases topped the list of assets into which security teams had least visibility (27%), followed by devices (17%) and then Internet of things (16%). The lack of visibility around databases correlates with a sharp rise in ransomware attacks, which have quadrupled during the pandemic and the National Cyber Security Centre recently cited as "the most immediate danger to UK businesses." Jonathan Gill, CEO, Panaseer: "The number of security tools continues to grow to meet the increasing threat and fast-evolving technology landscape. These tools produce vast amounts of data, but unfortunately, the data does not always join together, and this has now become a data science problem." "Many organisations try to resolve this with spreadsheets and other in-house solutions that simply increase the reporting and administration burden on precious cybersecurity resources. It's almost impossible to understand an organisation's assets, the status of controls relating to those assets, and the business context or ownership of the associated vulnerabilities. Most attacks happen despite organisations having invested in controls to defend themselves, but finding those controls were not deployed across all assets as intended." When asked what changes they have experienced since the beginning of the pandemic, security leaders cited a 42% increase in unpatched vulnerabilities, and 46% more events, 42% more incidents and 47% increase in breaches. To read Panaseer's full 2022 Security Leaders Peer Report, please visit: https://panaseer.com/reports-papers/report/2022-security-leaders-peer-report/ * For a true like-for-like comparison, Panaseer has segmented the data from its 2019 Security Leaders Peer Report to focus on the comparable companies sized 5,000 to 10,000+ employees. Survey information Over 1,200 senior security leaders (including CISO/ senior security/ risk officers), from the life sciences, energy, healthcare, retail, utilities and financial services industries, in companies of 5,000+ employees, were surveyed by Censuswide in September 2021. About Panaseer Panaseer is the first Continuous Controls Monitoring (CCM) platform for enterprise security. CCM is solving one of the biggest challenges in cybersecurity today – control failure. Enterprises do not know if their security controls are providing full protection at any given moment in time. Panaseer's CCM platform uniquely correlates data from all security tools to identify and measure missing assets and control gaps so that organisations can optimise security controls, tools, processes, and personnel. CCM has become a required capability for regulated enterprises. Gartner has included Panaseer as an inaugural vendor in two Hype Cycles for emerging technology: in 2020, in the Continuous Controls Monitoring category under Risk Management, and in 2021 in the Cyber Asset Attack Surface Management (CAASM) category under Network Security. Recently, Momentum Cyber included CCM in its Cybersecurity Almanac, as a next generation technology that will shape the future of cybersecurity; they also included Panaseer as an inaugural vendor. Panaseer's CCM platform was named as the 'Best Regulatory Compliance Tool and Solution' at the 2020 SC Awards Europe, and also received the Editor's Choice award from Cyber Defense Magazine for its 'Continuous Controls Monitoring platform.' Panaseer clients include the world's largest institutions and enterprises. Total funding to date is $43 million and investors include: AllegisCyber Capital, National Grid Partners, Evolution Equity Partners, Notion, AlbionVC, Cisco Investments and Paladin Capital Group. For more information visit: www.panaseer.com