The City of San Diego seems to have all the building blocks in place to make the smart city an exceptionally safe one when it comes to cyber attacks. Deputy director and CISO Gary Hayslip has built out the city’s security operations center, he’s partnering with innovative security vendors and startups, and conferring with law enforcement to keep up with the latest threats. He has the backing of the mayor and city executives, with plenty of funding, and he’s hiring more staff.
Yet when asked how he would grade his organization’s ability to detect and mitigate cyber threats, he offered a sobering assessment.
“I would probably say about a C+,” Hayslip says. “I’m realistic. There’s a lot of risk out there. We’re dealing with about a million attacks a day on our networks. I’ve got 40 departments, 24 networks and 40,000 endpoints” to protect. As the smart city adds more IoT devices connecting streetlights, stoplights and HVAC systems to the network, the threat surface will only grow.
“We’re definitely going to get destructive-type attacks. I think it’s going to go beyond DDoS, and they’ll try to destroy infrastructure,” Hayslip says.
Many security professionals feel less than certain about their own cyber defenses. Research firm CyberEdge Group and Tenable Network Security asked 700 security practitioners in nine countries and across seven industry verticals about their overall confidence that the world’s cyber defenses are meeting expectations.
According to this year’s data, global cybersecurity confidence fell six points over 2016 to earn an overall score of 70 percent — a “C-” on the report card.
The overall decline in confidence is the result of a 12-point drop in the 2017 Risk Assessment Index, which measured the ability of respondents to assess cyber risk across 11 components of the enterprise IT landscape.
“Based on these numbers, people aren’t very good at finding out what their vulnerabilities are, but when they do find them, they’re really good at patching them,” says Cris Thomas, strategist at Tenable.
For the second year, practitioners cited the “overwhelming cyber threat environment” as the single biggest challenge facing IT security professionals today, followed closely by “low security awareness among employees” and “lack of network visibility” due to BYOD and shadow IT.
No doubt, the dangers are real. Just last week Yahoo disclosed that over a billion user accounts had been stolen – back in 2013. Quest Diagnostics says that the hack of an internet application on its network exposed the personal health information of about 34,000 people.
Venafi CISO Tammy Moskites doesn’t like assigning scores, but she does acknowledge that she’s constantly challenged with “making sure that we’re doing the right things right.”
Sign up for Computerworld eNewsletters.