Skip to main content
banner image
venafi logo

CIOs Wasting Millions on Cybersecurity that Doesn’t Work: Keys and Certificates Must Be Protected

CIOs Wasting Millions on Cybersecurity that Doesn’t Work: Keys and Certificates Must Be Protected

CIOs Wasting Millions on Cybersecurity that Doesn’t Work: Keys and Certificates Must Be Protected
February 24, 2016 | Kevin Bocek
Key Takeaways
  • 90% of CIOs expect to be attacked because they’re blind to new threats, as shown in a new independent survey
  • 87% of CIOs believe their security defences are less effective since they can’t inspect encrypted traffic for attacks
  • 79% of CIOs agree that their core strategy to accelerate IT and innovation is in jeopardy because these initiatives introduce new vulnerabilities

Top CIOs acknowledge they are wasting millions (take your pick – BSPs, EURs, or USDs) on layered security defences because these technologies blindly trust keys and certificates, according to research we just completed with independent research firm, Vanson Bourne. The bad guys use unprotected keys and certificates to bypass these security defences, exploiting keys and certificates to hide in encrypted traffic, spoof websites, deploy malware, and steal data.

MORE  Get the full report, 2016 CIO Study Results: The Threat to Our Cybersecurity Foundation

The research reveals CIOs understand they are wasting millions because these layered security defences like FireEye can’t stop half of the attacks. More and more network attacks targeting enterprises use encrypted traffic to bypass controls; these technologies can’t defend against any of that.

The recently released annual threat report by Dell describes the growth in SSL/TLS decryption as a “mixed bag.” In Q4 2015, SSL/TLS connections comprised an average of over 64% of web connections, and, throughout 2015, each month increased by 53% over the corresponding month in 2014, on average. Although SSL/TLS is used to secure communications and connections, it’s also used increasingly by cybercriminals as an attack vector. When discussing the Dell report, Business Wire explains, “Using SSL or TLS encryption, skilled attackers can cipher command and control communications and malicious code to evade intrusion prevention systems (IPS) and anti-malware inspection systems.”

When you consider that the market for enterprise security is worth an estimated $83 billion worldwide, that’s a lot of money being wasting on solutions that can only do their jobs some of the time.

A fatal flaw in the foundation of security.

Keys and certificates are machine identities that authenticate system connections and telling us if software and devices are doing what they are meant to do. But when machine identities are left unmanaged and unprotected, this foundation is threatened. And if this foundation collapses, the Global 5000 and federal governments will be in serious trouble. With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, and mobile devices, and decrypt communications thought to be private.

Layered security—endpoint protection, advanced threat protection, firewalls, behavioural analytics, IDS and IPS security systems, and more—are fundamentally flawed because they blindly trust machine identities, unable to determine which are good or bad.

In addition, most security professionals (54%) admit to not knowing where all of their keys and certificates are located, who owns them, or how they are used. Without visibility or access into all keys and certificates, security controls are unable to inspect the vast majority of encrypted network traffic, which leaves gaping holes in enterprise security defences.

Cybercriminals are taking advantage of these blind spots and are using unprotected keys and certificates not only to evade detection, but to achieve authentication and trusted status that bypasses other security controls and allows their actions to remain hidden.

Cybersecurity Is Failing

Globally, there appears to be a loss of confidence in cybersecurity.

The public markets are efficiently reflecting a loss of confidence in cybersecurity. It’s no coincidence that 90% of CIOs admit to wasting billions on inadequate cybersecurity at the same time the HACK cybersecurity fund drops by 25% since November 2015. This is well ahead of the overall market downturn with a 10% decline in the S&P500 index.

The number of keys and certificates that enterprises need to secure is exploding. In light of Encryption Everywhere plans, driven in large part by Edward Snowden’s revelations and breach of the NSA, virtually all CIOs surveyed (95%) indicated they are worried about how they will securely manage and protect all encryption keys and certificates.

And as the speed of IT increases—creating and decommissioning services based on elastic needs—keys and certificates will grow in orders of magnitude. When asked if the speed of DevOps makes it more difficult to know what is trusted or not in their organizations, 79% of CIOs said yes.

As Fast IT grows, the demand for a secure foundation increases.

Most enterprise organizations have a moved to a bi-modal IT structure with two stream/two speed IT: one that supports existing apps that require stability and another that delivers fast IT for innovation and business-impacting projects. Yet using agile methods and introducing DevOps is an extremely high risk and chaotic endeavour. In these new environments, security will always suffer and it will become virtually impossible to keep track of what can and can’t be trusted.

The Venafi Trust Protection Platform helps you understand which machine identities should be trusted and which shouldn’t. With trust in keys and certificates restored, the value of a business’s other security investments increases.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Kevin Bocek
Kevin Bocek

Kevin is Vice President of Security Strategy & Threat Intelligence at Venafi. He is recognized as a subject matter expert in threat detection, encryption, digital signatures, and key management, and has previously held positions at CipherCloud, PGP Corporation and Thales.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more