Control failures are the primary reason for data breaches

Senior cybersecurity professionals reveal their number one frustration is the inability to continuously measure enterprise-wide security posture and identify control failures.

Panaseer has released the third edition of its Security Leaders Peer Report looking at the concerns and constraints currently faced by CISOs and other senior cybersecurity leaders across the US and UK. The survey of over 800 respondents from large organisations conducted by Censuswide found that almost 9 in 10 security leaders see the failure of controls expected to be in place as the primary reason for data breaches, and 79% of enterprises have experienced cyber incidents that should have been prevented with existing safeguards. As a result, most breaches are preventable but are still occurring – and security leaders are becoming increasingly frustrated.

For the first time, the 2023 report examines how security professionals are personally impacted by the high-pressure environment they work in. Many revealed that a lack of visibility and understanding of their security posture is the leading cause of their frustrations – specifically, the inability to continuously measure enterprise-wide security posture and identify control failures (ranked as number one, with 70% frustrated). Incidents that should have been stopped by an expected control followed closely, with 68% exasperated by this inability to stop preventable breaches. Respondents also pointed to issues with data and tooling as a bigger driver for security team resignations than demands for higher salary and greater seniority.

Each year, the report also looks at how much time security teams dedicate to manually collecting and reporting on security data. This year, Panaseer found that teams spend 59% of their time on these tasks – a 9% increase on the previous year’s research, and a 64% rise from the first survey in 2019. In fact, 70% of security teams now spend more than half of their time on manual reporting, leaving less time for threat detection and vulnerability patching.

As explained by Andreas Wuchner, Field CISO at Panaseer, “To effectively reduce the significant amount of time spent manually reporting, CISOs and their teams need to be looking to automation. As well as freeing up qualified security professionals to dedicate time to higher value tasks – from threat detection to business continuity planning – automation provides the road to accurate, trustworthy data. We need to prioritise the maturation of automation, metrics and risk management in order to help teams cope with heavy reporting workloads.”

Measuring risk

In overcoming the issue of preventable breaches and frustrated security teams, only 44% of organisations are extremely confident in their ability to continuously measure their control gaps. Respondents have pointed to a lack of internal resources (39%), inability to evidence remediation (38%), ineffective tooling (34%) and poor control failure visibility (34%) as the reasons behind this lack of confidence.

However, 82% agree that monitoring and addressing expected controls failure and risk would likely have a bigger impact on their security posture than buying additional tools. This is particularly pertinent given the issue of tool sprawl – the two previous reports have found that it’s not uncommon for organisations to use more than 75 or even 100 security tools.

Fortunately, awareness of how these control failures can be addressed is growing. 88% of security leaders stated they are likely to implement a Continuous Controls Monitoring (CCM) platform in the next two years, a solution critical to measuring and advising on security control effectiveness. That compares to 79% who said the same in 2022.

“Unfortunately, the majority of breaches we see occur because of a preventable security control failure,” says Jim Doggett, CISO at Semperis. “By going back to basics, reducing complexity and truly knowing their security stack – the tools they have and their utilisation – security leaders can achieve an end-to-end view of their organisations’ security posture. And increasingly, they are converging on CCM to provide the single source of truth they need to do so.”

Other key findings from the report point towards a lack of confidence in what to measure to improve security posture.

These include:

•Nearly all (99%) security leaders are actively engaged in trying to benchmark their security metrics, policies and standards, but almost three-quarters (72%) admit they are not absolutely satisfied with their ability to do so currently

•Less than half of respondents are highly confident they are continuously evaluating best practice security metrics specifically aligned to their organisational size and industry

•Of the remainder, 47% simply don’t know the right metrics to monitor and 51% don’t have the resources to help them do it


Companies encountering numerous pain points as they seek to manage application connectivity security and risk.
Only 29% of respondents are highly confident they have a robust mechanism to test their environments against the most current threat vectors.
Netwrix has launched a new multi-tenant, software-as-a-service (SaaS) auditing solution designed to meet the needs of MSPs. Its lightweight cloud architecture helps MSPs ensure the security and compliance of their clients’ systems and data from a single console.
The new managed SASE solution builds on NTT’s Managed Campus Networks platform to provide customers with enhanced capabilities, new features, and a fully managed end-to-end service to support and operate critical network infrastructure.
Research also shows the inability to prevent bad things from happening as the worst part of a security job with more than a third of respondents unsure they could tell their boards that no adversaries are inside.
Channel partners in EMEA to access scalable application security testing solutions.
A new research report by CSI Ltd looking into the top concerns of cyber security decision makers finds that 78% believe the current cost-of-living crisis will increase the risk of a cyber threat occurring in their organisation. This finding was especially prevalent in the healthcare (84%) and financial services (86%) sectors.
Acronis has announced a three-year partnership with London´s oldest professional football club, Fulham FC. EveryCloud.co.uk will support Acronis as its ‘Strategic #Cyberfit’ delivery partner providing its cutting-edge cyber protection solutions and cloud backup service to the club.