Research shows ‘game needs to be changed,’ with security innovation years behind that of the attackers, the board a decade behind security discussions and regulation needing more industry input
Vectra AI, a leader in threat detection and response, today released a new report highlighting how today’s organisations are tackling complex, modern cyberthreats. Vectra’s Security Leaders Research Report found that 89% of respondents think traditional approaches don’t protect against modern threats and that ‘the game needs to be changed’ when it comes to dealing with attackers. The report surveyed 200 IT security decision makers working at organisations with more than 1,000 employees in the UK.
The report unearths how security leaders believe legacy tooling and thinking is impeding organisations from protecting against modern threats, and that a new approach is needed to detect and stop attacks that leapfrog current tools. Key findings include:
- 76% of security decision makers say they have bought tools that failed to live up to their promise – citing poor integration, failure to detect modern attacks, and lack of visibility as the top three reasons
- 69% think they may have been breached and don’t know about it—a third (31%) think this is “likely”
- 90% of respondents say recent high-profile attacks have meant the board is starting to take proper notice of cybersecurity
- 69% believe cybercriminals are leapfrogging current tools and that security innovation is years behind that of the hackers
- Over half (54%) now invest as much, if not more, on detection as protection, suggesting a positive shift away from prevention-first mentality
Garry Veale, Regional Director, UK & Ireland at Vectra, commented: “Digital transformation is driving change at an ever-increasing pace. Yet companies are not the only ones innovating. Cybercriminals are too. As the threat landscape evolves, traditional defences are increasingly ineffectual. Organisations need modern tools that shine a light into blind spots to deliver visibility from cloud to on premise. They need security leaders who can speak the language of business risk. Boards that are prepared to listen. And a technology strategy based around an understanding that it’s ‘not if but when’ they are breached.”
Security leaders are resigned to the fact that attackers are now one step ahead, with69% of respondents believing that cybercriminals are leapfrogging current tools and that security innovation is years behind that of the hackers.
This may be in part due to legacy thinking around security and a lack of communication between security teams and the board. 58% of respondents think the board is a decade behind when it comes to security discussions, while 82% say the board’s security decisions are influenced by existing relationships with legacy security and IT vendors. A further 68% say it’s hard to communicate the value of security to the board, as it is notoriously difficult to measure. As a result, security leaders are more reliant than ever on their partners in the channel. 86% say they’re grateful to have a channel partner they can trust to guide them, as there are so many vendors all promising to do the same thing.
From GDPR to the Network and Information Security Directive, cybersecurity practices and standards are shaped by regulation. While regulation is crucial in holding organisations accountable, the report found 58% of respondents think legislators aren’t well-equipped enough to make decisions around cybersecurity matters and called for more industry input and collaboration. In addition, 43% of respondents argued that regulators don’t have a strong enough understanding of life “at the coal face” to be writing in laws for cybersecurity professionals.
“With the security landscape rapidly evolving and becoming increasingly complex, more often than not the attackers hold the advantage. This means security leaders must adopt a fresh approach to security that revolves around detection and response, while moving away from prevention-first strategies,” concludes Veale. “This new approach to security can create the right conditions for effective cyber-risk management but in order for the wider security industry to embrace this pro-active culture, there needs to be greater communication and consultation amongst both the board and regulators to ensure all parties are reading from the same script.”