Less than 50% of information security professionals use penetration testing and vulnerability scanning to test their security operations, according to Cisco’s Annual Security Report 2015.
The study surveyed CISOs and security operations managers (SecOps) to assess their security operations, policies, and procedures.
The survey states that while many respondents believe their security processes are optimised – and that their security tools are effective – in truth, their security readiness likely needs improvement.
54% of the respondents have had to deal with public scrutiny following a security breach.
The survey indicates that CISOs are more optimistic than security operations managers about the state of security in their organisation.
A significantly higher proportion of CISOs (70%) say their organisation’s infrastructure is very up to date compared with SecOps managers (57%). 62% of CISOs say that their security processes are clear and well understood by all, while only 48% of operations managers feel this way.
The report speculates that CISOs are more optimistic because they are further from the day-to-day reality of security operations.
“A CISO of a very large organisation might not realise that a thousand machines are infected by malware in a typical day, whereas the SecOps manager would have devoted much more time to mitigating the infection, hence his or her less optimistic outlook on organisational security. In addition, CISOs may be setting policies, such as blocking access to social media, which give them the illusion of tighter, more impenetrable security defenses. However, by shutting down such channels completely, security teams may lack knowledge or experience of the threats that still exist just outside their networks.”
About two-thirds of respondents say that their security technologies are up to date and frequently updated.
The survey further shows that telecommunications companies are most likely to say their security infrastructure is kept up to date, while healthcare companies are less likely than other industries to identify an executive accountable for security.
vsRisk™, the information security risk assessment software, delivers error-free and comprehensive results that can be audited instantly. vsRisk has been trusted by leading risk practitioners as the ultimate information security risk assessment tool, provides six reports, includes six control sets (including ISO 27001, NIST SP 800 and PCI DSS), and includes built-in databases of risks, threats and vulnerabilities. vsRisk helps you to save time, effort and expense when conducting a risk assessment.