December 10, 2014 By Jaikumar Vijayan 3 min read

In direct contrast to two recent reports suggesting dangerous overconfidence on cybersecurity matters within many organizations, a new report shows that a majority of security leaders actually feel outmatched by their cyberadversaries.

Despite having mature technologies and practices to deal with a range of advanced security threats, close to 60 percent of 138 chief information security officers (CISOs) and senior security executives said in a recent IBM survey that they felt attackers had outstripped their organization’s defensive capabilities.

Deep Apprehension

IBM interviewed the security leaders for its third annual Chief Information Security Officer (CISO) study. The goal of the study, which was conducted by the IBM Center for Applied Insights, is to gain an understanding of how security leaders view the current threat landscape.

What it shows is a deep level of apprehension among CISOs, chief information officers, chief technology officers and others tasked with enterprise information security management functions.

Eight in 10 survey respondents said the number of external threats to their companies was rising, while 40 percent pointed to such threats as their biggest challenge. Much of the concern over external threats appears to be tied to the growing interconnectivity and interactions between enterprises and their business partners, customers and suppliers.

“As enterprise leaders continue to outline business priorities, external threats will require the most organizational effort over the next three to five years — as much as regulations, new technologies and internal threats combined,” the IBM report noted.

In addition to the external threats, many CISOs also pointed to government regulations and rules as a major area of concern. Over 80 of the security leaders surveyed felt that regulations and standards handed down by the government had significantly increased their risk over the past three years. Another area of concern was the uncertainty expressed by many over whether governments would handle regulations and governance issues at a national or a global level.

Mature Security Technologies

Interestingly, the concerns about being outgunned by adversaries existed even though 70 percent of the technology executives surveyed believed their businesses had mature technologies for intrusion prevention, malware detection and network scanning. Slightly more than half of those surveyed said their ability to address security needs was, ironically enough, being strained by the increasing pace of innovation in the security industry.

“Pressured to deploy, integrate and improve current systems, security leaders have little remaining capacity to contemplate developing technologies,” the IBM report said.

Contrasting Sentiments

The findings in the IBM report are at odds with the conclusions of two other recent surveys that showed IT managers expressing a surprising degree of confidence over the preparedness of their security organizations to deal with security threats.

In one of the surveys, conducted by Enterprise Management Associates on behalf of software vendor SolarWinds, 84 percent of 312 IT managers felt their organizations were “very secure” from cyberthreats, though almost the same percentage also admitted to suffering a major security incident in the past year. The other survey of 250 IT professionals by ThreatTrack Security reported 94 percent of the respondents expressing confidence in their ability to deflect cyberattacks, even though a majority had experienced a recent breach.

Preparing for cyberattacks has become a major issue in a year during which numerous companies have reported major data breaches. Following the network intrusion at Target last December that exposed data on 40 million credit and debit cards, there have been numerous other breaches of similar scope over the past 12 months. Such victims include Home Depot, JPMorgan Chase, Community Heath Systems, Kmart and UPS Stores.

The breaches and evolving government regulations are driving a complete reassessment of security strategies at many organizations, IBM noted in its CISO report. The trend has also vaulted security leaders into positions of considerably greater influence at their companies, IBM said.

More from

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

How red teaming helps safeguard the infrastructure behind AI models

4 min read - Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from the ad-hoc nature of many implementations, where organizations lack a clear strategy for responsible AI use.Attack surfaces aren’t just expanding due to risks and vulnerabilities in AI models themselves but also in the underlying infrastructure that supports them. Many foundation…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today