Confidence is important, but when it comes to cybersecurity, you can have too much of a good thing.
That’s according to a new report from BeyondID which revealed a disconnect in how defenders think of security and how it’s applied in the workplace. BeyondID CEO and co-founder Arun Shrestha told IT Brew that what he sees as a “confidence paradox” can lead to disaster.
“The paradox is that sometimes we feel like we are in better shape than really we are,” Shrestha said. “And in reality, when you really assess the core of the situation, we find that the facts are very different than the perception.”
In too deep. Often, according to Sophos Red Team Technical Lead Eric Escobar, firms develop unearned confidence by simply purchasing products and assuming that the threat is taken care of. It’s an understandable reaction. But, as Escobar noted, it’s not real. It’s the “magical unicorn of protection.”
“It definitely scares me that people buy tools and then just assume that you know that they’re going to do everything 100% of the time,” Escobar said.
Confidence can be a good thing, Huntress co-founder and CEO Kyle Hanslovan told IT Brew. But it’s important to acknowledge that with every step forward in tech—be it cloud, new products, software, and the like—security may have to take a few steps backward to cover the adoption process. Overconfidence can lead to thinking about these issues incompletely, resulting in a failure to ensure things are properly configured and appropriately developed.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“A lot of people just say, ‘I feel good, but I don’t know what I’m getting wrecked by,’” Hanslovan said. “I think the bigger question is, why are vendors allowed to sell solutions that aren’t secure or configured or fully managed?”
Check the chart. BeyondID’s report numbers indicate that there’s “a systemic misalignment between perception and reality,” and the implementation of AI on both sides of the threat surface is only making things worse. A majority of respondents say their posture is established or advanced, but the reality of their abilities tells a different story.
Those self-identifying as “advanced” in their security posture were only following an average 4.7 of 12 best security practices. Less than three in 10 devote over 20% of their cybersecurity budget to identity, and 34% have failed a compliance audit because of identity security issues. Individually, any one of these concerns could theoretically be chalked up to allocation and decision-making—but all together, it looks like potential trouble.
“We work with customers to really organize their thoughts, saying that we all collectively realize, based on the actual true assessment signal of your infrastructure, you are maybe in the traditional foundational, not quite advanced and optimal [level of security],” Shrestha said, adding that’s “because of the disparity and understanding of the real facts versus what they believe they are. That’s really the basis for our report around this confidence paradox.”