The latter however, is a "whole different can of worms", he lamented. "You have no control over employee's devices so the best thing that you can do is to identify devices that may be imposing a threat to your network infrastructure. Network administrators need to discover them actively rather than passively, and leverage on vulnerability scanners to scan the network traffic and detect things that shouldn't be there."
Uninvested board members are another challenge. On the upside, respondents largely believe they have the tools in place to measure overall security effectiveness (B-) and to convey security risks to executives and board members (B). On the downside, respondents question whether their executives and board members fully understand those security risks (C+) and are investing enough to mitigate them (C).
"As with every security matters in any organisation, it all needs to start from the top," said Bussiere. "If you don't have board level buy-in, you are not going to have the money to do a proper job of implementing security."
"In order to measure the effectiveness of your security investment, you need to have the necessary tools in place. These tools do not necessarily exist to allow the board to understand the risk to the business from a security context because security is a technical thing, and people generally think of it in terms of business. You need to translate and rationalise things in a business context instead," said Bussiere.
"As such, you need to present useful data to the C-level executives, show them where the risk is at, and convince them to amplify the investment in that particular area to fix vulnerabilities. This actually makes it more measurable and a lot more palatable to explain from a technical to a business standpoint, and the security risk will go down."
Crafting a solid security strategy
So what can IT security professionals do to improve their organisations' abilities to assess and mitigate network security risks?
1. Raise the cost for an attacker
The best deterrence against cyberattacks is to focus on the basics. By adhering to a few fundamental practices, security teams can effectively raise the cost for an attacker to the point that the payroll isn't worth the effort.
According to Bussiere, it is imperative for IT security professionals to know and understand everything that is happening on their network. Secondly, they should constantly monitor their network infrastructure and religiously remove vulnerabilities and misconfigurations, while making use of available technologies to prevent and detect malicious activity. Thirdly, they should manage admin privileges and restrict employees' access where necessary, so that they can only access what they need.
The fundamentals of cybersecurity haven't changed in decades, but as the high-profile breaches of 2015 show, many organisations are still not taking the time or spending the money to position themselves for success.
Sign up for CIO Asia eNewsletters.