Getty Images/iStockphoto
Trust Emerges as Cybersecurity Issue for 42% of Security Decision-Makers
Even though cybersecurity trust is clearly an issue, some trust is also misplaced, with 66 percent of security leaders trusting employees to prevent cyberattacks more than their own teams.
With cyberattacks on the rise, trust in teams and technology is crucial. However, 42 percent of security leaders see a trust deficit as their biggest hurdle, a new survey showed.
The 2023 'State of Cyber Defense Report: The False-Positive of Trust', which polled 1,000 top IT security decision-makers, suggests that lack of trust tops the list of cyber defense challenges.
Notably, despite an average of five major security breaches in the last year, a significant over trust is evident as 37 percent of these leaders fully trust their organization's ability to fight cyberattacks. This high trust level, however, seems misguided as only 4 percent of respondents reported no security incidents, emphasizing the disparity between the perception and the reality of cybersecurity threats.
Experts said that balancing this trust is crucial for elevating an organization's security posture and preventing employee-led incidents.
Lack of communication emerges as the primary reason for trust loss, reported by 47 percent of information security decision-makers. Most respondents (97 percent) expressed incomplete trust across all aspects of their organizations, posing potential risks. The cost of trust deficit is widely recognized, with a staggering 98 percent acknowledging its workplace implications.
Researchers also found that more cybersecurity incidents occur in organizations with a greater number of cybersecurity platforms. This suggests that an overreliance on security tools may not be beneficial and could hint at a lack of comprehensive threat understanding among security teams.
Interestingly, while 95 percent of information security decision-makers feel that senior leadership doubts their security team's defensive capabilities, there is a noticeable overconfidence within the security teams themselves.
This 'over-trust' could arise from a limited understanding of the full scale of what it takes to achieve true cyber maturity, coupled with a need for more resources for managing cybersecurity technologies, thereby emphasizing the need for better trust management and resource allocation in cybersecurity strategies.
A surprising revelation is the misplaced trust in employees over security professionals.
“Respondents find it easier to trust people (and their ability to help mitigate a vulnerability) than technology,” the report stated.
“While employees may be the first line of defense against a cyberattack, it cannot be assumed that they will avoid falling victim to a cyber incident. Of course, businesses need to have up-to-date and recurring cybersecurity training for employees so that they remain aware of potential threats. However, people are understandably fallible, and without the necessary technology in place, businesses will inevitably be woefully unprepared.”
More decision-makers (66 percent) trust employees to thwart a cyberattack than they trust their security team to identify and prioritize security gaps (63 percent). This misplaced trust even surpasses the faith in the accuracy of data alerts (59 percent), the efficacy of cybersecurity tools and technologies (56 percent), and the precision of threat intelligence data (56 percent). Such a complex trust dynamic within organizations presents unique challenges in the quest for robust cybersecurity.
“To navigate the current threat landscape, trust is imperative. There needs to be trust in teams, trust in technology and its configuration, in intelligence sources, and with suppliers. However, there is a critical balance to be made on how much and where that trust should be placed” said Pierson Clair, managing director of Cyber Risk at Kroll.
“Further, there is a frequent overestimation in the capabilities of security tools without continued managed response. Of course, this is understandable, considering the sheer volume of data that security teams deal with and the number of cyber incidents businesses tackle daily. Security teams want solutions that will fix today’s problems, without appreciating the fact that there is no ‘one-and-done’ solution for an everchanging landscape.”