Facebook Google Plus Twitter LinkedIn YouTube RSS 功能表 搜尋 資源 - 部落格資源 - 網路研討會資源 - 報告資源 - 活動icons_066 icons_067icons_068icons_069icons_070

Tenable 部落格

訂閱

How People, Process and Technology Challenges Are Hurting Cybersecurity Teams

preventive cybersecurity: how people, process and technology challenges are increasing cyber risk

In a commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable, we set out to understand the real-world challenges standing in the way of effective risk-reduction practices. Here’s what we learned. 

At a time when cybersecurity programs are facing unprecedented levels of scrutiny by government agencies, insurance companies and investors, many organizations find it challenging to effectively report and communicate about risk. They’re restricted by an array of people, process and technology challenges that, taken together, make it extremely difficult to practice preventive cybersecurity, even as the attack surface becomes ever more complex.

A new white paper, "Old Habits Die Hard: How People, Process and Technology Challenges Are Hurting Cybersecurity Teams," reveals that, in the last two years, the average organization was prepared to preventively defend 57% of the cyberattacks they encountered. However, having only this much coverage leaves them vulnerable to 43% of these attacks, which they were forced to reactively mitigate rather than stop altogether. Nearly three-quarters (74%) of security and IT leaders believe their organization would be more successful at defending against cyberattacks if it devoted more resources to preventive cybersecurity. The white paper is based on a commissioned survey of 825 cybersecurity and IT leaders conducted in 2023 by Forrester Consulting on behalf of Tenable.

The complexity of IT infrastructure — with its reliance on multiple cloud systems, numerous identity and privilege management tools and multiple web-facing assets — brings with it numerous opportunities for misconfigurations and overlooked assets. Preventive cybersecurity requires the ability to assess and prioritize vulnerabilities and misconfigurations in context with user data and asset prioritization so that IT and cybersecurity employees can make the right decisions about which systems or classes of users and assets to remediate first. Yet, the siloed nature of the thousands of point solutions offered by cybersecurity vendors makes it nearly impossible for security and IT leaders to understand the full depth and breadth of an organization’s exposure. 

Many organizations still struggle with the basics of patching software vulnerabilities — and such flaws are merely one element of an organization’s overall exposure. Preventively addressing system misconfigurations brings its own set of challenges. Further complicating matters, organizations struggle to obtain an accurate picture of their attack surface, including visibility into unknown assets, cloud resources, code weaknesses and user entitlement systems.

It all starts with people 

Internal processes and attitudes can create conflicts that end up derailing efforts to implement preventive cybersecurity strategies. Cybersecurity and IT teams are often siloed and their performance is evaluated using separate and contradictory criteria and goals. Internal attitudes further serve to make coordination between IT and security teams difficult and time-consuming. 

The result of this mismatch? Nearly six in 10 respondents (58%) say the cybersecurity team is too busy fighting critical incidents to take a preventive approach to reducing their organization’s exposure. Four in 10 (40%) find coordination between IT and cybersecurity teams difficult and time-consuming and nearly two-thirds (65%) say IT is more concerned with uptime than patching/remediation. 

Siloed systems are not only a drain on human resources, they make it challenging to create meaningful risk reports from disparate data sources. Seven in 10 respondents (71%) have 25 or more employees devoted to deployment, support, maintenance and/or vendor relationships for the preventive cybersecurity tools they use. On average, organizations spend 15 hours per month creating security reports for business leaders. 

People challenges beget process challenges

Organizational silos stand in the way of effective collaboration. For example, although the majority of respondents (53%) cite cloud infrastructure — specifically public, multi-cloud and/or hybrid cloud — as the greatest source of exposure in their organization, cybersecurity is often left out of the cloud deployment decision-making process. 

Over a third of IT and cybersecurity leaders agree the cybersecurity team is not consulted early enough in the process of choosing and deploying cloud services, while 31% say their business and engineering teams purchase and deploy cloud services without informing the cybersecurity team

Frequent meetings and communication about the business criticality of systems are essential for reducing risk, yet such meetings take place monthly (at best!). More than 20% of organizations only meet once a year (or less). 

Technology exacerbates the challenges facing cybersecurity teams

A hodgepodge of siloed cybersecurity tools makes it difficult for cybersecurity and IT leaders to gain meaningful insights about the depth and breadth of their exposure. Professionals using siloed tools are unable to determine the relationships among users, systems and software, and different measurement metrics among all the various tools make it difficult to accurately assess risk. Further complicating matters, three out of four of the most frequently used cybersecurity tools are reactive, not preventive, making proactive cybersecurity practices difficult to execute. Even more concerning, the siloed nature of cybersecurity tools makes it difficult for IT and security pros to provide senior management with comprehensive, easy-to-understand risk management metrics — making it challenging for management to properly understand the organization’s risk posture, allocate budgets accordingly and meet government and industry standards for risk reporting. 

Important context about users and access privileges is also hard to come by: seven in 10 (70%) say their siloed systems form a barrier for obtaining user data. While most respondents (75%) say they consider user identity and access privileges when they prioritize vulnerabilities for remediation, half say their organization lacks an effective way of integrating such data into their preventive cybersecurity and exposure management practices. 

If you’re ready to learn more about these challenges, gain insight into how the most mature organizations are addressing them and see recommendations for next steps:

相關文章

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。

您的 Tenable Vulnerability Management 試用版軟體也包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

100 項資產

選取您的訂閱選項:

立即購買

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。

您的 Tenable Vulnerability Management 試用版軟體也包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

100 項資產

選取您的訂閱選項:

立即購買

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。

您的 Tenable Vulnerability Management 試用版軟體也包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

100 項資產

選取您的訂閱選項:

立即購買

試用 Tenable Web App Scanning

享受完整存取我們專為新型應用程式所設計、屬於 Tenable One 曝險管理平台一部分的最新 Web 應用程式掃描產品。不需耗費大量人力或中斷重要 Web 應用程式,即可高度準確且安全地掃描您整個線上產品系列中是否含有任何弱點。 立即註冊。

您的 Tenable Web App Scanning 試用版軟體也包含 Tenable Vulnerability Management 和 Tenable Lumin。

購買 Tenable Web App Scanning

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

5 個 FQDN

$3,578

立即購買

試用 Tenable Lumin

利用 Tenable Lumin 視覺化並探索您的曝險管理、追蹤經過一段時間後風險降低的情形以及與同業進行指標分析。

您的 Tenable Lumin 試用版軟體也包含 Tenable Vulnerability Management 和 Tenable Web App Scanning。

購買 Tenable Lumin

聯絡業務代表,瞭解 Tenable Lumin 如何協助您取得您整個環境的深入解析和管理網路風險。

免費試用 Tenable Nessus Professional

免費試用 7 天

Tenable Nessus 是目前市場上最全方位的弱點掃描器。

最新 - Tenable Nessus Expert
現已上市

Nessus Expert 新增了更多功能,包括外部攻擊破綻掃描和新增網域及掃描雲端基礎架構的能力。按這裡試用 Nessus Expert。

請填妥以下表單以繼續 Nessus Pro 試用。

購買 Tenable Nessus Professional

Tenable Nessus 是目前市場上最全方位的弱點掃描器。Tenable Nessus Professional 可協助將弱點掃描流程自動化,節省您執行合規工作的時間並讓您與 IT 團隊合作。

購買多年期授權,節省更多。新增 365 天全年無休 24 小時全天候可使用電話、社群及對談的進階支援。

選擇您的授權

購買多年期授權,節省更多。

增加支援與訓練

免費試用 Tenable Nessus Expert

免費試用 7 天

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。

您已經有 Tenable Nessus Professional 了嗎?
升級至 Nessus Expert,免費試用 7 天。

購買 Tenable Nessus Expert

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。

選擇您的授權

購買多年期授權省更多!

增加支援與訓練