It’s not easy being a CISO (Chief Information Security Officer).
But even those sympathetic to the gruelling job of keeping an organisation and its assets safe in a world of endless attacks might raise their eyebrows at the latest survey from Cisco, which found that 42 percent of CISOs are suffering from cybersecurity fatigue: defined as “virtually giving up” on proactively defending against malicious actors.
Wait, What?
In its sixth annual CISO Benchmark Report, Cisco surveyed 2,800 from 13 countries to capture data on vendor use, mobile and data centre security, and more.
The report emphasises the pressure CISOs are under in an increasingly complex environment, and the sheer volume of alerts they get of threats to infrastructure. (The “virtually giving up” figure doesn’t represent outright despair at security in general. Rather, it captures the challenge of proactively investigating security alerts.)
Why? The number of organisations who receive 100,000 or more daily security alerts has grown from 11 percent in 2017 to 17 percent in 2020. Only 36 percent get fewer than 5,000 alerts daily. (The rate of legitimate incidents at 26 percent is consistent: while vendor products may be improving, the number of false positives is still stupendous.)
The survey is likely to raise eyebrows about how much work there remains to do on the basics of robust security across the enterprise: only 27 percent of organisations are currently using multi-factor authentication (MFA), Cisco’s survey found. (MFA is widely regarded as one of the fundamental steps toward better security).
Read this: NCSC’s Guidance on MFA for Online Services
Another key concern for 2020, the report notes, is that 46 percent of organisations (up from 30 percent in last year’s report) had an incident caused by an unpatched vulnerability. The consequences of this are worsening: 68 percent of those breached via an unpatched vulnerability suffered losses of 10,000+ data records.
Amid the barrage of statistics, the report makes some sensible suggestions for those CISOs not currently employing such approaches, starting with employing a layered defense, “which should include MFA, network segmentation, and endpoint protection.”
CISO Survey: Get the Basics Right, Please
It also urges companies to “focus on cyber hygiene: shore up defenses, update and patch devices, and conduct drills and training”, as well as adopt an “integrated platform approach when managing multiple security solutions.”
The survey is not the first to note that life as a CISO is increasingly stressful: a 2019 report by security vendor Nominet found that a quarter of CISOs worldwide suffer from physical or mental health issues due to stress, with just under one-in-five turning to alcohol or medication, and more than half failing to switch off from their work.
Earlier this month, meanwhile, Cisco itself patched five serious security flaws in various implementations of its Cisco Discovery Protocol (CDP) – including a bug that would allow an unauthenticated attacker to remotely execute code with root privileges.
CDP is a network protocol that is used to map the presence of other Cisco products in the network. It is implemented in most Cisco products including switches, routers, IP phones and IP cameras, security firm, Armis said. Many of these devices “can not work properly without CDP”, and, Armis adds, “do not offer the ability to turn it off.”
See also: Critics Hit Out at Cisco After Security Researcher Finds 120+ Vulnerabilities in a Single Product