Exploring The Gap Between Cybersecurity Perception And Reality

Most company executives and security professionals have a reasonable understanding of cybersecurity. Even if they don’t fully understand the mechanics under the hood, they at least realize that there is a vast and aggressive threat landscape out there, and that their networks are under virtually constant siege from attackers. When you ask how they feel about their security, though, and how confident they are in their ability to successfully detect and block attacks, the response shows a startling disconnect between reality and their perception.

Last month at the RSA Security Conference in San Francisco, I had an opportunity to attend a panel discussion hosted by Arctic Wolf Networks. We met at Marianne’s--an eclectic little semi-secret room at the back of The Cavalier restaurant. The room is apparently themed after the cover of the Rolling Stones’ Beggar’s Banquet album and named for British rock icon Marianne Faithful.

We were served coffee and orange juice and breakfast burritos, and then we sat and listened while a handful of security experts discussed this very issue in a panel discussion titled Cybersecurity Dissonance: Perception vs. Reality. The panel was comprised of David Monahan, Research Director at EMA Research, Dan Limon, Senior Systems Administrator for The Pasha Group, and Charles Muller, Director of IT at Threshold Enterprise. The session was led by Arctic Wolf CEO and co-founder Brian NeSmith.

The discussion centered around the results from a recent study on cybersecurity dissonance. The study found that almost everyone—95 percent to be precise—believes that their security posture is above average. Roughly nine in ten respondents believe that perimeter security tools are capable of combatting all cybersecurity threats, and nine out of ten also state that they have personnel dedicated solely to managing security.

On the reality side of that equation, however, 63 percent admit they cannot stop zero day threats. Nearly three out of four report that their role is too broad and it’s difficult to focus on IT security as much as they really should. The study also found that nearly 80 percent of security alerts are not addressed within the first hour after a trigger occurs.

There appears to be a disconnect. If two-thirds of those surveyed know they’re not equipped to defend against zero day threats, and three-fourths know they’re not doing everything they can for IT security, how can it be possible that 95 percent feel their security is above average and almost all of those surveyed seem to feel their perimeter security controls are sufficient to stop all threats?

The short answer is simply that it’s human nature. It’s human nature to have an inflated sense of success or achievement. NeSmith pointed out the parallel with asking people if they keep themselves in good health. Many will answer, “Absolutely,” without hesitating. As NeSmith pointed out, though, you get a different picture when you follow up to ask how often they eat fast food, or how regularly they actually exercise. There is a disconnect where we know what we’re supposed to do, and we feel comfortable judging others for not doing those things while simultaneously feeling like we are better than we really are despite any evidence to support that assumption.

I have seen this a lot with cybersecurity over the years—especially as it relates to malware outbreaks and data breaches. Executives and security administrators are aware that the threats exist, and they know that partners and competitors are being attacked and compromised, yet they will often persist in doing too little—or nothing at all—because for some reason they feel like it can’t or won’t happen to them. Well, guess what? Eventually the gap between cybersecurity perception and reality comes back to bite most companies in the ass.

After a brief overview of the highlights from the report, NeSmith turned the discussion over to the panel, asking Charles Muller for his thoughts on focus and how IT security professionals can make sure they’re focusing on the right things. Muller stressed that he feels an IT security professional should be dedicated to IT security—not also writing code, or managing networks, etc. He also shared a personal philosophy that regardless of personal ethics or sense of focus or your own dedication, you need effective support.

Muller’s point is a crucial one—especially for smaller organizations. The vast majority of companies fall into the small and medium business category. They have fewer people and fewer resources, and they’re much more likely to assign responsibility for IT security to someone who is already doing five other things and expect it to be handled.

The reality—and this is where I think Muller’s philosophy of enlisting support comes in—is that most small and medium businesses, and even some larger enterprises, just don’t know how to do security right. They don’t have the skills, or the tools to do it properly and it’s simply not a priority. I’m also not saying it should be. The priority should be finding a partner who knows security and can provide that support so you can focus on the things that generate revenue and grow your business.

The panel discussion diverged some into a chat about security in general and the threats companies face. Dan Limon shared that attackers generally have a financial motive. Sometimes it’s a direct attack and sometimes it’s indirect—it may be a spear phishing attack targeted at a specific individual or it may be a broad ransomware attack.

NeSmith also asked the panel how their organizations deal with “noise” when it comes to information security. Many companies are overwhelmed with alerts, and it can be a challenge to separate critical issues from background noise and prioritize effectively.

The primary takeaway from the session, though, was for organizations to address that gap between perception and reality. Take a realistic look at the threat landscape and understand the strengths and weaknesses of your security posture. With that knowledge, determine what needs to be done to close those gaps, and then honestly assess whether it can be accomplished with the personnel and resources available internally, or if it makes sense to enlist the support of a partner to provide more effective security.