A new report highlights the disconnect between security professionals’ perception of their organization’s security maturity and the effectiveness of the policies they actually implement.
Researchers from threat detection firm GoSecure developed a survey in collaboration with Serene-Risc, a knowledge mobilization network for the cybersecurity industry.
The research project looked at a series of specific security measures or controls – including multi-factor authentication, password policies, patch management, asset inventories, and endpoint visibility – and examined whether they were rated as important by respondents, as well as whether or not they were implemented.
Survey results were then cross-referenced against what was actually needed, based on the attack vectors that GoSecure penetration testers see in the real world.
The team found that the more these security measures were implemented, the higher the respondents rated their organization’s security maturity. However, there were two exceptions – minimum password strength requirements and investigating products for features that could represent a risk.
These measures didn’t correlate with perceived security maturity, but were closely linked to major attack vectors found in penetration testing reports.