Losing the Security War

Government and private sector security professionals do not have the tools or training necessary to effectively thwart cyber attacks, often times giving hackers the upper hand, a new survey suggests.

The survey of nearly 2,000 professionals by security company RedSeal found that companies and government agencies are often losing the security war to hackers, with 75 percent of security professionals stating that hackers have the upper hand with tools and automation. Fifty percent of security professionals also admit to having no way of knowing how many hosts can be accessed from outside their network, and only 41 percent believe vulnerability management tools accurately prioritize vulnerabilities.

Security professionals employed by the government were also some of the most likely to say that hackers have an advantage over their defense technologies. For example, 84 percent of government security professionals said hackers have the upper hand, beat out only by the energy industry (86 percent). At the same time, government security pros were less likely to say that they lack the ability to generate metrics needed to follow changes in network security posture, the study found.

In addition, 53 percent of security professionals say they lack the ability or knowledge to generate metrics needed to track security trends, the study found. Chief information security officers also are in the dark on comprehensive security strategies, with 51 percent saying they don't know or don't think their tools accurately prioritize vulnerabilities and 25 percent indicating that they don't know if there are security metrics to measure and track overall effectiveness, the study found.

Dr. Mike Lloyd, chief technology officer at RedSeal, told Wired Workplace on Tuesday that the goal for all security professionals is to thwart 100 percent of attacks. Anything less, he said, is insignificant because hackers will always find an open door. "It's very clear that there's a people component and a tech component," Lloyd said. "Many breaches could be fixed with personnel training, but that doesn't seem all that newsworthy. It's like dentists trying to make news by saying you can prevent cavities if you floss your teeth."