Some interesting reading recently from a Dow Jones survey conducted alongside Centrify looking at enterprise cybersecurity priorities and where CEOs and IT practitioners are aligned, and where they aren’t. Centrify is an identity and access management vendor that, of late, has been pushing a story around zero trust. In essence, the zero trust model is a sad (albeit accurate) reflection on enterprise cyber risk. It suggests that users inside a network are no more trustworthy than those outside the network.
This is important since traditional cybersecurity approaches have always doffed their virtual hat to anyone from within the organization. This new approach of zero trust applies the same level of verification, validation and access control to all users – no matter where they came from. Centrify claims 5,000 customers across the globe, including half of the Fortune 100.
Anyway, anything related to how an organization is positioning itself and thinking about security is within Centrify’s area of interest and they recently published some research around that area.
The upshot of the findings are that CEOs are generally focused on the organizational risks from malware. Centrify’s analysis is that this focus created organizational misalignment which actually results in sub-optimal security. The respondents the researchers spoke with who are actually responsible for the day-to-day security profile of the organization – CIOs, CTOs, and CISOs – all identified privileged user identity attacks as well as stolen or weak passwords as the biggest threats. They bemoan what they see as cybersecurity strategies, project priorities, and budget allocations that don’t always match up with the primary threats nor prepare companies to stop most breaches.
Rolling out the stats
The study, which covered around 800 enterprise executives had some pretty interesting findings:
- 62% of CEOs cite malware as the biggest threat to their organizations but only 8% of significant breaches could have been prevented with anti-malware solutions.
- CEOs, CIOs and CISOs on the front lines of security state that Identity is the primary attack vector, not malware.
- 68% of significant breaches most likely could have been prevented by privileged user identity and access management or user identity assurance.
- 56% of CEOs say that it would take a major breach within their organization to see compromised credentials as a significant threat yet 24% of CEOs are unaware they’ve already experienced a significant breach and 60% of CEOs continue to misinvest in malware prevention.
The status quo is not working
It’s pretty damning reading and suggests that, at least to a certain extent, the approach and strategy that organizations use to keep themselves safe are sub-optimal. While external cyber security breaches are “sexy” and get lots of media attention, it’s the internal vectors that are something of a hidden killer – if organizations are loath to admit they’ve suffered an external breach, they’re double loath to admit a breach originated from inside. Reflecting on the findings, Tom Kemp, CEO of Centrify doesn’t pull any punches, saying that:
While the vast majority of CEOs view themselves as the primary owners of their cyber security strategies, this report makes a strong argument that companies need to listen more closely to their Technical Officers. It’s clear that the status quo isn’t working. Business leaders need to rethink security with a Zero Trust Security approach that verifies every user, validates their devices, and limits access and privilege.
Kemp’s perspective is that zero trust approaches are the best way to protect against exploitation – that’s obviously a somewhat self-serving statement but, given the findings of this research and the fact that insider-breaches could reasonably be expected to be under-reported compared to external breaches, it’s a statement with validity. Reflecting on the zero-trust approach compared to more traditional models, Garrett Bekker, Principal Security Analyst at 451 Research had this to say:
The traditional security model of using well-defined perimeters between ‘trusted’ corporate insiders and ‘untrusted outsiders’ to protect assets has evolved with the advent of cloud, mobile and IoT. Yet most enterprises continue to prioritize spending on traditional security tools and approaches… Modern organizations need to rethink their approach and adopt a framework that relies on verifying identity rather than location as the primary means of controlling access to applications, endpoints and infrastructure.
MyPOV
Hardly a week goes by without the business media screaming headlines about the latest organization to suffer data loss. But often the root cause for this data loss isn’t the usual suspect and clichéd picture of external hackers. Rather, internal processes, poor systems and a culture that drops the guard when confronted with a known-user can be a real problem. This research is well worth reading for anyone looking to make buying decisions for organizations – download the report here.
