When it comes to repeating mistakes, the words of former President George W. Bush should apply just as much to cybersecurity as they do to the security of the nation: “There's an old saying in Tennessee — I know it's in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can't get fooled again.”
Unfortunately the same doesn't apply to IT professionals, regardless of which state they're in, since they appear to be setting themselves up to be fooled again as a recent study found 46 percent of IT professionals don't change their security strategy after a cyberattack, according to a recent CyberArk survey.
The study also found 89 percent of respondents stated that IT infrastructure and critical data aren't fully protected unless privileged accounts and credentials are secured yet 49 percent of organizations have not privileged account security strategy for the cloud. The study also found there aren't enough organizations that run regular red team exercises that allow ethical hackers to simulate attacks, techniques, and behaviors used by threat actors.
Only 8 percent of security decision makers poled said their organization continuously conducted Red Team exercises despite 44 percent of organizations recognizing or rewarding employees who help to prevent IT security breaches.
As a result, organizations are more prone to have vulnerabilities highlighting the need for DevOps teams to build in security from the start. A separate CyberArk study found a lack of security awareness and planning increase the risk of DevOps secrets exposure.
“Fusing DevOps and security tools and processes will be a success marker in protecting privileged information and secrets,” researchers said in the "CyberArk Global Advanced Threat Landscape Report 2018: Focus on DevOps"report. “What's needed is one dedicated technology tool and a single security stack that can seamlessly connect with DevOps tools and other enterprise security solutions
The report also found that nearly all security pro and DevOps respondents failed to identify all places where privileged accounts or secrets exist and that 73 percent of security respondents reported that their organization has not implemented a privileged account security solution for DevOps.