Reality check: Your security hygiene is worse than you think it is
Sevco Security published a report which explores the gap between perceptions and realities of security hygiene and asset management. Leveraging findings from ESG’s “Security Hygiene and Posture Management Survey,” Sevco’s report addresses five unfounded perceptions that many security teams assume to be true and the realities that unveil alarming security risks.
Unrealistic perception of good security hygiene
The report reveals that the perception of good security hygiene often leads to gaps in asset inventory that leave organizations open to security incidents. One such gap is the assumption that organizations have an accurate understanding of asset inventory. The reality is that on average, organizations discover 20-30% previously unknown devices once various inventory sources have been analyzed and reconciled.
In order to truly have a grasp on asset inventory, security teams must prioritize the difficult task of correlating various data sources to arrive at an accurate picture of the complete asset inventory.
“The responsibilities of today’s security professionals are complex and ever changing,” said J.J. Guy, CEO, Sevco.
“However, it is impossible to secure what you cannot see. With recent findings from ESG exposing wide gaps in asset inventory, the Sevco team felt it was important to dig a bit deeper and uncover why these gaps are happening. We discovered that many IT and security teams have an unrealistic perception of good security hygiene.”
Using the data from ESG’s survey of 400 IT and security professionals as a starting point for its own research, Sevco found additional misalignments in IT inventory priorities, many of which have been an ongoing challenge for security teams. If left unaddressed, these gaps can transform into serious vulnerabilities and areas for increased security risk.
Key recommendations
- As a foundation of any security program, assign clear ownership of asset inventory. Many issues involving inventorying assets stem from siloed ownership of tools to source inventory data without clear owners and alignment of inventory efforts.
- Change asset inventory processes to make it continuous, not monthly. In the highly dynamic IT environments of today assessing inventory once a week, much less once a month, is a considerable exposure.
- Without a consistent and continuous correlation process, IT organizations are likely underestimating its total asset inventory by 20-30%. Poor grasp of asset inventory undermines what may be outstanding efforts, such as a vulnerability management program.