Organizations are presenting their attackers with an open goal because of tool bloat, a lack of visibility into key assets, and misplaced confidence in their security controls, according to Panaseer.

The security vendor polled 1,200 US and UK enterprise security decision-makers from various industries to compile its Panaseer 2022 Security Leaders Peer Report.

It found that the shift to cloud and remote working has driven a 19% increase over the past two years in the number of security tools organizations must manage – from 64 to 76.

This can increase reporting requirements and generate visibility and security controls gaps that are difficult to close.

Only a third (36%) of respondents said they feel very confident in their ability to prove controls were working as intended. In comparison, the vast majority (82%) claimed to have been surprised by a security event, incident or breach that evaded controls thought to be in place.

According to a Gartner poll of senior executives, security controls failures were the number one cited risk in Q1 2021.

Panaseer also found that just two-fifths of security leaders can confidently understand and remediate underperforming controls and track improvement. A majority (60%) of respondents admitted to not being confident in their ability to measure security controls designed to mitigate ransomware continuously.

Part of the challenge is a lack of insight into key assets such as databases (27%), devices (17%) and IoT endpoints (16%).

The amount of time the average security decision-maker spends on generating manual reports for the board has also surged in the past two years – from 40% to 54%

Panaseer CEO, Jonathan Gill, argued that tool overload has created a major data integration headache for security teams.

“Many organizations try to resolve this with spreadsheets and other in-house solutions that simply increase the reporting and administration burden on precious cybersecurity resources,” he added.

“It’s almost impossible to understand an organization’s assets, the status of controls relating to those assets, and the business context or ownership of the associated vulnerabilities. Most attacks happen despite organizations having invested in controls to defend themselves, but finding those controls were not deployed across all assets as intended.”