Dive Brief:
- Despite investments in cybersecurity, two-thirds of CISOs and IT security decision makers said their organizations remain vulnerable to attack, according to a Nuspire survey released last week.
- Half of the respondents surveyed said human error and deficient employee training on best practices remain the primary culprit for IT vulnerabilities.
- Cloud applications and infrastructure, end users and endpoints, email, networks, and software were cited as the digital instruments most susceptible to cyberattack.
Dive Insight:
The chasm between investments intended to bolster an organization’s cybersecurity posture and unrelenting threats lurking throughout the IT environment illustrates the extent to which money often fails to meet the most pressing needs in cybersecurity.
It also signifies the pressure CISOs are under to prioritize spending in a manner that elicits the best defense and response.
Internal points of weakness represent the most worrisome threats among 200 CISOs and IT security decision makers surveyed by Nuspire. The respondents work at organizations with up to 10,000 employees and annual cybersecurity budgets ranging from $100,000 to more than $3 million.
Ransomware on employee-owned devices and phishing attacks targeting employees embody the biggest threat concerns, the survey concluded. CISOs and IT leaders pointed to IT, finance, sales and marketing as the most vulnerable departments in their respective organizations, according to Nuspire.
Very few organizations manage all of their cybersecurity needs in-house, and the services most likely to be outsourced are also the digital components most susceptible to attack, the survey found.
Cloud security posture management, cloud access security broker and endpoint detection and response are all outsourced at a rate of more than 40%, according to the IT leaders surveyed by Nuspire. Only 4% of respondents said their organization manages all cybersecurity internally.
Many organizations are struggling to defend and address the threat landscape, and this is exacerbated by a lack of resources and skills, said Rick Holland, Digital Shadows CISO and VP of Strategy.
Organizations can fill some gaps by outsourcing cybersecurity needs to third-party vendors, but it also introduces other challenges and organizations still own the risk, he said.
“You’ll never have that same knowledge of a company when you outsource a service to someone else,” Holland said. “You lose out on that internal knowledge, which can be a challenge as well.”