Ponemon Study: 53 Percent of IT Security Leaders Don’t Know if Cybersecurity Tools are Working Despite an Average of $18.4 Million Annual Spend

SAN DIEGO--()--AttackIQ™, a leader in the emerging market of continuous security validation, today released a report based on Ponemon Institute research evaluating the efficacy of enterprise security strategies. Ponemon surveyed 577 IT and IT security practitioners in the United States who are knowledgeable about their organization’s IT security strategy, tactics and technology investments. The results clearly demonstrate that the majority of organizations don’t know if the security tools they deploy are working, and are not confident they can avoid data breaches.

“The significant number of security experts who have observed a security control falsely reporting it blocked a cybersecurity attack is alarming,” said Larry Ponemon, founder and chairman of Ponemon Institute. “When processes and solutions like this fail, many companies respond by throwing more money at the problem. Further security spending needs to be put on hold until enterprise IT and security leaders understand why their current investments are not able to detect and block all known adversary techniques, tactics and procedures.”

According to the findings, organizations are investing heavily in cybersecurity technologies, but their IT teams are unsure if these tools are working as expected in terms of truly protecting the network. Key data points include:

  • Companies surveyed are spending an average of $18.4 million annually on cybersecurity
  • 58 percent of companies will be increasing their IT security budget by an average of 14 percent in the next year
  • 53 percent of IT experts admit they don’t know how well the cybersecurity tools they’ve deployed are working
  • 63 percent of respondents said they have observed a security control reporting it blocked an attack when it actually failed to do so
  • Only 39 percent of respondents say they are getting full value from their security investments

Despite deploying many different cybersecurity solutions, companies are not confident their technology investments, staff and processes can reduce the chances of a data breach. This lack of confidence stems largely from uncertainty in the efficacy of cybersecurity tools and the ability of staff to identify gaps in security and to respond to security incidents in a timely manner. Key data points include:

  • Companies deploy on average 47 different cybersecurity solutions and technologies
  • Less than half of IT experts are confident that data breaches can be stopped with their organization’s current investments in technology and staff
  • 56 percent of respondents say a reason data breaches still occur is because of a lack of visibility into the operations of their security program
  • Only 41 percent of respondents say their IT security team is effective in determining gaps in IT security infrastructure and closing those gaps
  • 75 percent of respondents say their IT security team is unable to respond to security incidents within one day

IT experts believe penetration testing is effective in uncovering cybersecurity gaps, but many are not conducting penetration testing on a continuous basis. Key data points include:

  • 57 percent of respondents say their IT security teams conduct penetration testing
  • 65 percent of respondents say their penetration testing is very effective or effective in uncovering security gaps, but almost one-third have no set schedule for penetration testing and only 13 percent conduct penetration testing daily
  • Only 48 percent of respondents say their organization leverages a continuous security validation (CSV) platform that allows them to determine how well security solutions are performing, but 68 percent of these respondents say their CSV platform is effective in finding security gaps

“Companies are spending far too much money on cybersecurity solutions without knowing if they are effective,” states Brett Galloway, CEO of AttackIQ. “More than half of the experts surveyed admit they are in the dark about how well the technologies they have are working and if they’re truly effective, which is alarming considering companies are relying on these technologies to protect sensitive information including customer data. Organizations must be certain their security measures can effectively prevent critical infrastructure disruption, and AttackIQ was created specifically to meet this need. AttackIQ operationalizes the industry standard MITRE ATT&CK framework to systematically test the efficacy of companies’ security programs, and identifies gaps in coverage or configurations.”

To see this Ponemon research data, download AttackIQ’s report, “The Cybersecurity Illusion: The Emperor Has No Clothes,” here: http://go.attackiq.com/PR-2019-PONEMON-REPORT_LP.html

Larry Ponemon, Carl Wright, chief commercial officer of AttackIQ; and Chris Kennedy, CISO and vice president of customer success of AttackIQ will discuss the findings of this report and key takeaways for enterprise security in a webinar on Monday, August 19 at 10 a.m. PT. To register to attend the webinar, please visit: http://go.attackiq.com/WB-19Q3-2019-Ponemon-Live-Webinar_LP-PR.html


Sponsored by AttackIQ, Ponemon Institute surveyed 577 IT and IT security practitioners in the United States who are knowledgeable about their organization’s IT security strategy and tactics. More than half of respondents (58 percent) are at or above the supervisory levels.

About AttackIQ

AttackIQ, a leader in the emerging market of continuous security validation, built the industry’s first platform that enables red and blue teams to test and measure the effectiveness of their security controls and staff. With an open platform, AttackIQ supports the MITRE ATT&CK framework, a curated knowledge base and model for cyber adversary behavior used for planning security improvements and verifying defenses work as expected. AttackIQ’s platform is trusted by leading companies around the world. For more information visit www.attackiq.com. Follow AttackIQ on Twitter, Facebook, LinkedIn, Vimeo, and YouTube.


Emily Ashley
PR for AttackIQ
(916) 710-0950

Release Summary

Ponemon Institute report reveals most IT security practitioners are not confident their security tools are working, or that they can avoid breaches.


Emily Ashley
PR for AttackIQ
(916) 710-0950