In direct contrast to two recent reports suggesting dangerous overconfidence on cybersecurity matters within many organizations, a new report shows that a majority of security leaders actually feel outmatched by their cyberadversaries.

Despite having mature technologies and practices to deal with a range of advanced security threats, close to 60 percent of 138 chief information security officers (CISOs) and senior security executives said in a recent IBM survey that they felt attackers had outstripped their organization’s defensive capabilities.

Deep Apprehension

IBM interviewed the security leaders for its third annual Chief Information Security Officer (CISO) study. The goal of the study, which was conducted by the IBM Center for Applied Insights, is to gain an understanding of how security leaders view the current threat landscape.

What it shows is a deep level of apprehension among CISOs, chief information officers, chief technology officers and others tasked with enterprise information security management functions.

Eight in 10 survey respondents said the number of external threats to their companies was rising, while 40 percent pointed to such threats as their biggest challenge. Much of the concern over external threats appears to be tied to the growing interconnectivity and interactions between enterprises and their business partners, customers and suppliers.

“As enterprise leaders continue to outline business priorities, external threats will require the most organizational effort over the next three to five years — as much as regulations, new technologies and internal threats combined,” the IBM report noted.

In addition to the external threats, many CISOs also pointed to government regulations and rules as a major area of concern. Over 80 of the security leaders surveyed felt that regulations and standards handed down by the government had significantly increased their risk over the past three years. Another area of concern was the uncertainty expressed by many over whether governments would handle regulations and governance issues at a national or a global level.

Mature Security Technologies

Interestingly, the concerns about being outgunned by adversaries existed even though 70 percent of the technology executives surveyed believed their businesses had mature technologies for intrusion prevention, malware detection and network scanning. Slightly more than half of those surveyed said their ability to address security needs was, ironically enough, being strained by the increasing pace of innovation in the security industry.

“Pressured to deploy, integrate and improve current systems, security leaders have little remaining capacity to contemplate developing technologies,” the IBM report said.

Contrasting Sentiments

The findings in the IBM report are at odds with the conclusions of two other recent surveys that showed IT managers expressing a surprising degree of confidence over the preparedness of their security organizations to deal with security threats.

In one of the surveys, conducted by Enterprise Management Associates on behalf of software vendor SolarWinds, 84 percent of 312 IT managers felt their organizations were “very secure” from cyberthreats, though almost the same percentage also admitted to suffering a major security incident in the past year. The other survey of 250 IT professionals by ThreatTrack Security reported 94 percent of the respondents expressing confidence in their ability to deflect cyberattacks, even though a majority had experienced a recent breach.

Preparing for cyberattacks has become a major issue in a year during which numerous companies have reported major data breaches. Following the network intrusion at Target last December that exposed data on 40 million credit and debit cards, there have been numerous other breaches of similar scope over the past 12 months. Such victims include Home Depot, JPMorgan Chase, Community Heath Systems, Kmart and UPS Stores.

The breaches and evolving government regulations are driving a complete reassessment of security strategies at many organizations, IBM noted in its CISO report. The trend has also vaulted security leaders into positions of considerably greater influence at their companies, IBM said.

More from

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…