RedSeal Network Security Practitioner Survey: Pros Concede Hackers Have Them Outgunned Via Tools and Automation

While Enterprises Still Struggle to Consistently Apply Basic Security Practices, Available Attack Tools Allow Hackers To Widen Gap In Security Arms Race, New Study Says

Oct 12, 2011, 09:00 ET from RedSeal Systems

SAN MATEO, Calif., Oct. 12, 2011 /PRNewswire/ -- The numbers don't lie: now, more than ever, security professionals feel outgunned by attackers and the level of automation employed in most campaigns against enterprise IT infrastructure, according to a new survey published today by RedSeal Systems and Dimensional Research entitled, "Hackers Versus Enterprise Security: A Survey of IT Security Professionals."

Interviews with 1,967 professionals at the recent Cisco Live and Black Hat USA conferences found that more than 75 percent of network management and security professionals believe that automated tools give hackers the upper hand in evading the defensive systems utilized by most enterprises to protect their critical assets and data.

Further compounding the issue, a vast majority of those IT pros surveyed reported that their employers – for the most part large organizations – cannot maintain necessary layered defenses based on their inability to determine where gaps in those systems exist.

  • Over 71 percent of respondents admitted that their networks are exposed to external threats due to misconfiguration issues present in their security device infrastructure.  
  • More than 50 percent had no idea how many of their organizations' internal hosts were actually exposed to the Internet.
  • Roughly 52 percent conceded that their vulnerability management initiatives don't allow them to prioritize remediation based on the likelihood of real-world attacks.

"Consistent application of network security controls across even medium sized networks has transcended human ability," said Dr. Mike Lloyd, Chief Technology Officer at RedSeal. "For many years there's been the notion of an arms race between IT security professionals and attackers; what this survey proves is that the good guys understand they're facing a truly daunting task to keep up."

Over 50 percent of those surveyed were responsible for networks containing over 100 or more such devices, suggesting that the sheer size and scale of today's security infrastructure is preventing organizations from adequately maintaining defense.

And while many security regulations and industry leaders have recommended for years that enterprises adopt a more metrics-driven approach toward measuring the effectiveness of security infrastructure, only 47 percent of respondents said that their employers do so today.

"More surprising than the overwhelming perception among today's professionals that hackers have the upper hand, based on attack automation and gaps in enterprise defense, is that so few have access to metrics that demonstrate how well security infrastructure is working," said David Gehringer, Senior Research Analyst for Dimensional Research. "The numbers bear out that there's genuine concern among practitioners that they lack the tools and information needed to stop the threats that their organizations face."

Other key findings include:

  • Vertical trends:
    • Some 86 percent of energy company employees believe hackers have more advanced automated tools, followed by 84 percent of government workers, 79 percent of telecommunications staffers, 71 percent of healthcare practitioners and 70 percent of financial services professionals, respectively.
  • Management lacks top-down visibility into risks:
    • Over 51 percent of chief information security officers said they don't believe, or don't know that vulnerability assessment tools provide enough information to identify their most important security exposures.
    • Some 56 percent of CISOs said they either don't have effective metrics to measure security effectiveness or don't know if those metrics even exist; 55 percent of network management officials made the same admissions.

Survey Methodology:

During July (Cisco Live) and August (Black Hat) 2011, RedSeal invited conference attendees to fill out an informational survey created by Dimensional Research on the topic of network security management, hackers and automation. A total of 1,967 respondents completed the survey. Participants included CISOs (5 percent), CIO/VP of IT (7 percent), Network management (46 percent), Network security (27 percent) and Security management (16 percent) professionals. Participants represented a wide range of industry verticals. Respondents were not compensated for participating in this survey. Follow this link to the full report:

About RedSeal

RedSeal develops proactive network assessment software solutions that allow organizations to assess and strengthen their cyber-defenses. Unlike systems that detect attacks once they occur, RedSeal identifies holes in the security infrastructure that could be exploited—before they are discovered by hackers. RedSeal software analyzes and simplifies the complex interaction of firewalls and all other network security devices, delivering in-depth understanding of overall security standing, continuous compliance with regulations such as PCI, FISMA, and SOX, and actionable steps for risk remediation. For more information, visit RedSeal at and follow us on Twitter @RedSealSystems.

SOURCE RedSeal Systems