December 10, 2014 By Jaikumar Vijayan 3 min read

In direct contrast to two recent reports suggesting dangerous overconfidence on cybersecurity matters within many organizations, a new report shows that a majority of security leaders actually feel outmatched by their cyberadversaries.

Despite having mature technologies and practices to deal with a range of advanced security threats, close to 60 percent of 138 chief information security officers (CISOs) and senior security executives said in a recent IBM survey that they felt attackers had outstripped their organization’s defensive capabilities.

Deep Apprehension

IBM interviewed the security leaders for its third annual Chief Information Security Officer (CISO) study. The goal of the study, which was conducted by the IBM Center for Applied Insights, is to gain an understanding of how security leaders view the current threat landscape.

What it shows is a deep level of apprehension among CISOs, chief information officers, chief technology officers and others tasked with enterprise information security management functions.

Eight in 10 survey respondents said the number of external threats to their companies was rising, while 40 percent pointed to such threats as their biggest challenge. Much of the concern over external threats appears to be tied to the growing interconnectivity and interactions between enterprises and their business partners, customers and suppliers.

“As enterprise leaders continue to outline business priorities, external threats will require the most organizational effort over the next three to five years — as much as regulations, new technologies and internal threats combined,” the IBM report noted.

In addition to the external threats, many CISOs also pointed to government regulations and rules as a major area of concern. Over 80 of the security leaders surveyed felt that regulations and standards handed down by the government had significantly increased their risk over the past three years. Another area of concern was the uncertainty expressed by many over whether governments would handle regulations and governance issues at a national or a global level.

Mature Security Technologies

Interestingly, the concerns about being outgunned by adversaries existed even though 70 percent of the technology executives surveyed believed their businesses had mature technologies for intrusion prevention, malware detection and network scanning. Slightly more than half of those surveyed said their ability to address security needs was, ironically enough, being strained by the increasing pace of innovation in the security industry.

“Pressured to deploy, integrate and improve current systems, security leaders have little remaining capacity to contemplate developing technologies,” the IBM report said.

Contrasting Sentiments

The findings in the IBM report are at odds with the conclusions of two other recent surveys that showed IT managers expressing a surprising degree of confidence over the preparedness of their security organizations to deal with security threats.

In one of the surveys, conducted by Enterprise Management Associates on behalf of software vendor SolarWinds, 84 percent of 312 IT managers felt their organizations were “very secure” from cyberthreats, though almost the same percentage also admitted to suffering a major security incident in the past year. The other survey of 250 IT professionals by ThreatTrack Security reported 94 percent of the respondents expressing confidence in their ability to deflect cyberattacks, even though a majority had experienced a recent breach.

Preparing for cyberattacks has become a major issue in a year during which numerous companies have reported major data breaches. Following the network intrusion at Target last December that exposed data on 40 million credit and debit cards, there have been numerous other breaches of similar scope over the past 12 months. Such victims include Home Depot, JPMorgan Chase, Community Heath Systems, Kmart and UPS Stores.

The breaches and evolving government regulations are driving a complete reassessment of security strategies at many organizations, IBM noted in its CISO report. The trend has also vaulted security leaders into positions of considerably greater influence at their companies, IBM said.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today