Security pros agree about threats—convincing everyone else is the problem

Security pros agree about threats—convincing everyone else is the problem

How about that Colonial Pipeline?

As troubling as this event may be, for those of us working in the world of cybersecurity it can be hard to convince others to take dangers like this seriously—regardless of how real and immediate they are.

“Sadly, the upper leadership team does not understand the stakes and why an investment is necessary to protect assets and tomorrow’s productivity,” said one beleaguered security professional we spoke to.

If this sounds like you, you’re not alone. There are plenty who share your pain.

Back in March, Malwarebytes released the SMB Cybersecurity Trust and Confidence Report 2021. For this report, we surveyed 704 cybersecurity professionals from all levels on the corporate ladder, from CISOs on the top rung down to the hardworking sysadmins. Participating small- and medium-sized businesses ranged from 50 to 999 employees. 

What did we find? Security professionals trust their endpoint protection to do its job—with some caveats.

Some 95 percent of respondents say they trust their cybersecurity vendor to provide effective endpoint protection. By that same token, more than 90 percent say their endpoint protection is effective and they’re confident it protects against dangerous threats.

So, what’s the catch?

Decision makers versus decision influencers

To get a better sense of who our survey-takers are and identify any potential difference of opinion, we asked them for their titles. You can see the full breakdown below, but just under half, 48 percent, of our respondents identify as IT directors.

Next, we grouped participants by those who “make the final decision” regarding endpoint protection purchases and those who have ”significant influence,” with 52 percent identifying as decision makers and 48 percent identifying as decision influencers.

Those who answered, “Yes, I’m a decision maker” generally have a somewhat rosier disposition when it comes to the dangers their organizations are facing and their ability to stop those dangers. 

We asked, “Has your endpoint protection product ever failed to detect a threat?” Those who make the final decision are more likely than those who influence decision making to say their endpoint protection provider hadn’t failed (64 percent versus 48 percent).

Coming at the issue from another angle, we also asked, “How frequently does your organization register a cybersecurity threat?” Those who make the final decision are far more likely than those who influence decision making to say their organization registers a threat “once a month” or “very often” (26 percent versus 13 percent).

We then asked “Agree or disagree? I believe it’s not a matter of if but when my organization suffers a successful attack or breach.” Just over half, 56 percent, said they agreed. Those who make the final decision agree to this statement significantly more than those who influence decision making (64 percent versus 49 percent).

So, what is the data telling us? Security professionals are confident in their endpoint protection, but they’re realistic about the threats they’re facing. Yes, there are some variations depending on an individual’s position within the org chart; otherwise, everyone is pretty much in agreement on the increasing sophistication and frequency of attacks.

The security ouroboros

Many of the survey respondents expressed frustration with leadership outside of the security org.

We asked, “What’s the biggest obstacle to security at your organization?”

“Buy-in from the leadership team that it is worth the investment versus other priorities,” said one respondent.

Another said, “Faced with a range of obstacles, from slowing budget growth to dissatisfied boards, business and security leaders are being challenged to change the way they approach cybersecurity and risk.”

No budget? No buy-in? Lack of investment? Sounds about right.

At risk of reading too deeply in to the data, the implication here is that while businesses get bigger, security orgs stay the same in terms of personnel and infrastructure. 

The numbers bear this out, 65 percent of respondents from SMBs with 500 to 999 employees identified as CIO, CISO, or IT director. 

Where one would expect to see a pyramid shape from the CISO or CIO on down, with more frontline level employees at the bottom than leaders at the top, the reality has gone all pear-shaped. As mentioned earlier, almost half of total survey respondents identified as IT directors.

Compounding the problem, a significant portion of our respondents believe that bigger organizations make for more frequent targets.

We asked “Agree or disagree? Hackers do not target small- and medium-sized organizations and attack only bigger organizations.” 

Some 39 percent of respondents agreed bigger organizations made for more frequent targets. Among survey respondents at organizations with more than 500 employees, a slightly larger 43 percent agree.

However, those who make the final purchasing decision on endpoint protection agree even more—bigger business, bigger target—than those who just influence decision making (48 percent versus 30 percent).

What does it all mean? For starters, security professionals across the board have faith in their endpoint protection, but they’re frustrated at the lack of support from senior leadership outside of the security org. 

When businesses find success and the dollars start rolling in it’s a given that many of those dollars are going to be earmarked for talent acquisition and IT infrastructure. Unfortunately, from a security perspective, growth at one end doesn’t translate to growth at the other end. Security pros just don’t get the additional resources that they’re expecting—that they need—to accommodate growth within the organization as a whole.

Like a snaking eating its own tail, growing businesses have more employees and more endpoints to protect, but security budgets and head count seem to remain stagnant. And the consequences for this security conundrum are dire. Look no further than the latest headlines.


Philip Christian

Cybersecurity writer at Malwarebytes. Types his missives on a manual typewriter.