Against a backdrop of an increasingly complex threat landscape and major shifts in the way organizations operate, IT security decision-makers are struggling to keep up with the rising risks, particularly when it comes to secure access and defending against identity-related breaches.
These were among the results of a global survey of 2,100 IT security decision-makers conducted by Sapio Research on behalf of security firm Delinea.
The survey revealed that more than 80% of organizations experienced an identity-related security breach in the past 18 months.
The research also found that while identity security is a priority for security teams, nearly two-thirds of respondents said they believe executive leaders fail to understand its importance.
"The good news we have found is that many organizations realize the importance of protecting identities," said Joseph Carson, chief security scientist and advisory CISO at Delinea. "However, they must follow through with action and accelerate the journey to protecting identity-based cyberattacks."
Filling the Security Gaps
While many organizations are on the right path to securing and reducing cyber-risks to the business, the challenge is that large security gaps still exist for attackers to take advantage of, Carson said.
"This includes securing privileged identities," he said. "An attacker only needs to find one privileged account."
Among the most significant impacts of identity-related breaches or attacks using stolen credentials are:
- loss of sensitive data
- financial costs through loss of business
- business downtime
- damage to the business brand and reputation
While businesses still have many privileged identities left unprotected, such as application and machine identities, attackers will continue to exploit and impact business operations in return for a ransom payment, Carson said.
"The good news is that organizations realize the high priority of protecting privileged identities," he added. "The sad news is that many privileged identities are still exposed as it is not enough just to secure human privileged identities."
The survey also found that 90% of respondents agree that identity security is important to meeting business goals, while 87% said they agree that securing identities is a top priority for the next 12 months.
Just under 30% of respondents, however, said they are running to keep up with demands, lacking either the resources or the budget to fully implement an agreed-upon strategy.
At the same time, more than half of organizations surveyed said they haven't implemented ongoing security policies and processes for access management, such as multifactor authentication (MFA) or password rotation or approvals, among other defense approaches.
Need for Better Communication Between IT Security Decision-Makers and C-Suite
The security gap is not only increasing between the business and attackers, but also between the IT leaders and the business executives, according to Carson.
"While in some industries this is improving, the issue still exists," he said. "Until we solve the challenge on how to communicate the importance of cybersecurity to the executive board and business, IT security decision-makers will continue to struggle to get the needed resources and budget to close the security gap."
From Carson's perspective, that means there needs to be a change in the attuite at the C-suite level.
"In order to make this possible, the communication between IT security leaders and the C-suite must also change to one that demonstrates the relationship between cybersecurity and the value to the business," he explained. "For too long we have focused on fear when discussing cybersecurity."
Carson said the attitude must shift to focus on business value and how cybersecurity is actually helping the business be successful.
Until the communication between IT security leaders and the C-suite evolves, the C-suite will continue to see cybersecurity simply as a checkbox approach or look to cyber-insurance as the way to cover the risks exposed to the organization, he said.
"I believe that the issue here is all about communication, and communicating cybersecurity business risks is an area we must focus on moving forward," Carson said.