News Feed Item

CIOs Admit to Wasting Millions on Cybersecurity that Doesn't Work on Half of Attacks

New Venafi survey shows 90% of CIOs expect to be attacked because they're blind to new threats

SALT LAKE CITY, Feb. 24, 2016 /PRNewswire/ -- Venafi, the Immune System for the Internet™, announced today the findings of a global survey of 500 CIOs conducted by Vanson Bourne about the prevalence and business impact of failed IT security. The survey found overwhelming consensus among IT executives that the foundation of cybersecurity—cryptographic keys and digital certificates—is being left unprotected, leaving enterprises blind, in chaos, and unable to defend their businesses.

CIOs acknowledge they are wasting millions of dollars on layered security defences because these tools blindly trust keys and certificates—unable to differentiate between which keys and certificates should be trusted and which shouldn't. With Gartner predicting that 50% of network attacks will come over SSL/TLS this means popular security systems like FireEye will only work half of the time. And CIOs recognize that this chaos is jeopardizing their most strategic plans to build Fast IT organizations around DevOps.

Key findings include:

  • 87% of CIOs believe their security defences are less effective since they can't inspect encrypted network traffic for attacks
  • 90% of CIOs have or expect to suffer from an attack in which encrypted traffic is used to hide the attack
  • 86% of CIOs think stolen encryption keys and digital certificates will be the next big market for hackers
  • 79% of CIOs agree that their core strategy to accelerate IT and innovation is in jeopardy because these initiatives introduce new vulnerabilities

Enterprises rely on tens of thousands of keys and certificates as the foundation of trust for their websites, virtual machines, mobile devices, and cloud servers. The technology was adopted to help solve the original Internet security problem of knowing what is safe and private. From online banking, secure communications and mobile applications to the Internet of Things, everything IP-based depends upon a key and certificate to create a trusted and secure connection. But unprotected keys and certificates are being misused by cybercriminals to hide in encrypted traffic, spoof websites, deploy malware, elevate their privileges, and steal data.

Deployed technologies like endpoint protection, advanced threat protection, next generation firewalls, behavioural analytics, intrusion detection systems (IDS) and data loss prevention (DLP) are fundamentally flawed because they cannot determine which keys and certificates are good or bad, friend or foe. As a result, one consequence is that they are unable to inspect the vast majority of encrypted network traffic. This leaves gaping holes in enterprise security defences. Cybercriminals are taking advantage of these security blind spots and are using unprotected keys and certificates to hide in encrypted traffic and circumvent security controls.

Download the report: 2016 CIO Study Results – The Threat to Our Cybersecurity Foundation 

"Keys and certificates are the foundation of cybersecurity, authenticating system connections and telling us if software and devices are doing what they are meant to. If this foundation collapses, we're in serious trouble," comments Kevin Bocek, Vice President Threat Intelligence and Security Strategy at Venafi. "With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets' websites, infrastructure, clouds, and mobile devices, and decrypt communications thought to be private."

"Increasingly, the systems we've put in place to verify and establish online trust are being turned against us. Worse still, the vendors that tell us they can protect us, can't. Endpoint protection, firewalls, IDS, DLP and the like are worse than useless because they are lulling people into a false sense of security. This research shows CIOs now understand they are wasting millions because security systems like FireEye can't stop half of the attacks. Gartner predicts that by 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls; these technologies can't defend against any of that! When you consider that the market for enterprise security is worth an estimated $83 billion worldwide, that's a lot of money being wasting on solutions that can only do their jobs some of the time."

"And the public markets are efficiently reflecting a loss of confidence in cybersecurity. It's no coincidence that 90% of CIOs admit to wasting billions on inadequate cybersecurity at the same time the HACK cybersecurity fund drops by 25% since November 2015. This is well ahead of the overall market downturn with a 10% decline in the S&P500 index."

The risks from unmanaged and unprotected keys and certificates increase as their numbers grow. A recent Ponemon report reveals that the average enterprise has more than 23,000 keys and certificates, and 54% of security professionals admit to not knowing where all of their keys and certificates are located, who owns them, or how they are used. CIOs are concerned that the increase in keys and certificates to support new IT initiatives will confound the problem.

In light of Encryption Everywhere plans, driven in large part by Edward Snowden's revelations and breach of the NSA, virtually all CIOs (95%) indicated they are worried about how they will securely manage and protect all encryption keys and certificates. And as the speed of IT increases—creating and decommissioning services based on elastic needs—keys and certificates will grow in orders of magnitude. When asked if the speed of DevOps makes it more difficult to know what is trusted or not in their organizations, 79% of CIOs said yes.

"Gartner predicts that by 2017 three out of four enterprise organizations will be moving to a bi-modal IT structure with two stream/two speed IT: one that supports existing apps that require stability and another that delivers fast IT for innovation and business-impacting projects.," said Bocek. "Yet using agile methods and introducing DevOps is an extremely high risk and chaotic endeavour. In these new environments security will always suffer and it will become virtually impossible to keep track of what can and can't be trusted."

"This is why we need an immune system for the internet," Bocek concludes. "Like a human immune system, it lets organizations know instantly which keys and certificates should be trusted and which shouldn't. With trust in keys and certificates restored, the value of a business's other security investments increases."

The research was conducted by independent market research company Vanson Bourne who surveyed a total of 500 CIOs from large enterprises from France, Germany, US and the UK.

About Vanson Bourne
Vanson Bourne is an independent specialist in market research for the technology sector. Our reputation for robust and credible research-based analysis is founded upon rigorous research principles and our ability to seek the opinions of senior decision makers across technical and business functions, in all business sectors and all major markets. For more information, visit www.vansonbourne.com.

About Venafi
Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity—cryptographic keys and digital certificates—so they can't be misused by bad guys in attacks. In today's connected world, cybercriminals want to gain trusted status and remain undetected, which makes keys and certificates a prime target. Unfortunately, most security systems blindly trust keys and certificates, allowing bad guys to use them to hide in encrypted traffic, spoof websites, deploy malware, and steal data. As the Immune System for the Internet, Venafi patrols across the network, on devices, behind the firewall, and throughout the internet to determine which SSL/TLS, SSH, WiFi, VPN and mobile keys and certificates are trusted, protects those that should be trusted, and fixes or blocks those that are not.

As the market-leading cybersecurity company in Next Generation Trust Protection (NGTP) and a Gartner-recognized Cool Vendor, the Venafi Trust Protection Platform™ protects keys and certificates and eliminates blind spots from threats hidden in encrypted traffic. As part of any enterprise infrastructure protection strategy, Venafi TrustAuthority™, Venafi TrustForce™, and Venafi TrustNet™ help organizations know what's trusted and "self" in order to regain control over keys and certificates on mobile devices, applications, virtual machines and network devices and out in the cloud. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects your network, business, and brand. Venafi Threat Center also provides primary research and threat intelligence for attacks on keys and certificates.

Venafi is the market leading cybersecurity company in Next Generation Trust Protection (NGTP). As a Gartner-recognized Cool Vendor, Venafi delivered the first Trust Protection Platform™ to secure cryptographic keys and digital certificates that every business and government depends on for secure communications, commerce, computing, and mobility. With little to no visibility into how the tens of thousands of keys and certificates in the average enterprise are used, no ability to enforce policy, and no ability to detect or respond to anomalies and increased threats, organizations that blindly trust keys and certificates are at increased risk of costly attacks, data breaches, audit failures and unplanned outages.

Venafi customers are among the world's most demanding, security-conscious Global 2000 organizations in financial services, retail, insurance, healthcare, telecommunications, aerospace, manufacturing, and high tech. Today Venafi protects four of the top five U.S. banks, eight of the top U.S. 10 health insurance companies and four of the top seven U.S. retailers. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Intel Capital, Origin Partners, Pelion Venture Partners, QuestMark Partners, and Silver Lake Partners. For more information, visit www.venafi.com.

To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/cios-admit-to-wasting-millions-on-cybersecurity-that-doesnt-work-on-half-of-attacks-300225208.html


More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Daniel Jones is CTO of EngineerBetter, helping enterprises deliver value faster. Previously he was an IT consultant, indie video games developer, head of web development in the finance sector, and an award-winning martial artist. Continuous Delivery makes it possible to exploit findings of cognitive psychology and neuroscience to increase the productivity and happiness of our teams.
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory? In her Day 2 Keynote at @DevOpsSummit at 21st Cloud Expo, Aruna Ravichandran, VP, DevOps Solutions Marketing, CA Technologies, was jo...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...
Evan Kirstel is an internationally recognized thought leader and social media influencer in IoT (#1 in 2017), Cloud, Data Security (2016), Health Tech (#9 in 2017), Digital Health (#6 in 2016), B2B Marketing (#5 in 2015), AI, Smart Home, Digital (2017), IIoT (#1 in 2017) and Telecom/Wireless/5G. His connections are a "Who's Who" in these technologies, He is in the top 10 most mentioned/re-tweeted by CMOs and CIOs (2016) and have been recently named 5th most influential B2B marketeer in the US. H...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER give you detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPO also offers s...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
@DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises - and delivering real results.