How People, Process and Technology Challenges Are Hurting Cybersecurity Teams

In a commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable, we set out to understand the real-world challenges standing in the way of effective risk-reduction practices. Here’s what we learned. 

At a time when cybersecurity programs are facing unprecedented levels of scrutiny by government agencies, insurance companies and investors, many organizations find it challenging to effectively report and communicate about risk. They’re restricted by an array of people, process and technology challenges that, taken together, make it extremely difficult to practice preventive cybersecurity, even as the attack surface becomes ever more complex.

A new white paper, "Old Habits Die Hard: How People, Process and Technology Challenges Are Hurting Cybersecurity Teams," reveals that, in the last two years, the average organization was prepared to preventively defend 57% of the cyberattacks they encountered. However, having only this much coverage leaves them vulnerable to 43% of these attacks, which they were forced to reactively mitigate rather than stop altogether. Nearly three-quarters (74%) of security and IT leaders believe their organization would be more successful at defending against cyberattacks if it devoted more resources to preventive cybersecurity. The white paper is based on a commissioned survey of 825 cybersecurity and IT leaders conducted in 2023 by Forrester Consulting on behalf of Tenable.

The complexity of IT infrastructure — with its reliance on multiple cloud systems, numerous identity and privilege management tools and multiple web-facing assets — brings with it numerous opportunities for misconfigurations and overlooked assets. Preventive cybersecurity requires the ability to assess and prioritize vulnerabilities and misconfigurations in context with user data and asset prioritization so that IT and cybersecurity employees can make the right decisions about which systems or classes of users and assets to remediate first. Yet, the siloed nature of the thousands of point solutions offered by cybersecurity vendors makes it nearly impossible for security and IT leaders to understand the full depth and breadth of an organization’s exposure. 

Many organizations still struggle with the basics of patching software vulnerabilities — and such flaws are merely one element of an organization’s overall exposure. Preventively addressing system misconfigurations brings its own set of challenges. Further complicating matters, organizations struggle to obtain an accurate picture of their attack surface, including visibility into unknown assets, cloud resources, code weaknesses and user entitlement systems.

It all starts with people 

Internal processes and attitudes can create conflicts that end up derailing efforts to implement preventive cybersecurity strategies. Cybersecurity and IT teams are often siloed and their performance is evaluated using separate and contradictory criteria and goals. Internal attitudes further serve to make coordination between IT and security teams difficult and time-consuming. 

The result of this mismatch? Nearly six in 10 respondents (58%) say the cybersecurity team is too busy fighting critical incidents to take a preventive approach to reducing their organization’s exposure. Four in 10 (40%) find coordination between IT and cybersecurity teams difficult and time-consuming and nearly two-thirds (65%) say IT is more concerned with uptime than patching/remediation. 

Siloed systems are not only a drain on human resources, they make it challenging to create meaningful risk reports from disparate data sources. Seven in 10 respondents (71%) have 25 or more employees devoted to deployment, support, maintenance and/or vendor relationships for the preventive cybersecurity tools they use. On average, organizations spend 15 hours per month creating security reports for business leaders. 

People challenges beget process challenges

Organizational silos stand in the way of effective collaboration. For example, although the majority of respondents (53%) cite cloud infrastructure — specifically public, multi-cloud and/or hybrid cloud — as the greatest source of exposure in their organization, cybersecurity is often left out of the cloud deployment decision-making process. 

Over a third of IT and cybersecurity leaders agree the cybersecurity team is not consulted early enough in the process of choosing and deploying cloud services, while 31% say their business and engineering teams purchase and deploy cloud services without informing the cybersecurity team

Frequent meetings and communication about the business criticality of systems are essential for reducing risk, yet such meetings take place monthly (at best!). More than 20% of organizations only meet once a year (or less). 

Technology exacerbates the challenges facing cybersecurity teams

A hodgepodge of siloed cybersecurity tools makes it difficult for cybersecurity and IT leaders to gain meaningful insights about the depth and breadth of their exposure. Professionals using siloed tools are unable to determine the relationships among users, systems and software, and different measurement metrics among all the various tools make it difficult to accurately assess risk. Further complicating matters, three out of four of the most frequently used cybersecurity tools are reactive, not preventive, making proactive cybersecurity practices difficult to execute. Even more concerning, the siloed nature of cybersecurity tools makes it difficult for IT and security pros to provide senior management with comprehensive, easy-to-understand risk management metrics — making it challenging for management to properly understand the organization’s risk posture, allocate budgets accordingly and meet government and industry standards for risk reporting. 

Important context about users and access privileges is also hard to come by: seven in 10 (70%) say their siloed systems form a barrier for obtaining user data. While most respondents (75%) say they consider user identity and access privileges when they prioritize vulnerabilities for remediation, half say their organization lacks an effective way of integrating such data into their preventive cybersecurity and exposure management practices. 

If you’re ready to learn more about these challenges, gain insight into how the most mature organizations are addressing them and see recommendations for next steps:

• Join Tenable’s CIO, CSO and CTO on Dec. 14, 2023 at 2pm ET for a panel webinar – learn more and register here

• Read the whitepaper: "Old Habits Die Hard: How People, Process and Technology Challenges Are Hurting Cybersecurity Teams."