According to a new report, a survey conducted with over 800 CISOs and other senior cybersecurity leaders across the US and UK found that almost nine out of 10 see the failure of controls expected to be in place as the primary reason for data breaches.

The report, produced by Panaseer, says that 79% of enterprises say they have experienced cyber-incidents that should have been prevented with existing safeguards. As a result, most breaches are preventable but still occur.

Another finding revealed that a lack of visibility and understanding of their security posture is a leading cause of frustrations – specifically, the inability to continuously measure enterprise-wide security posture and identify control failures (ranked as number one, with 70% frustrated). Incidents that should have been stopped by an expected control followed closely, with 68% exasperated by this inability to stop preventable breaches. Respondents also pointed to issues with data and tooling as a bigger driver for security team resignations than demands for higher salary and greater seniority.

The survey found that teams spend 59% of their time manually collecting and reporting on security data – a 9% increase on the previous year’s research. Furthermore, 70% of security teams now spend more than half of their time on manual reporting, leaving less time for threat detection and vulnerability patching.

“To effectively reduce the significant amount of time spent manually reporting, CISOs and their teams need to be looking to automation,” said Andreas Wuchner, Field CISO at Panaseer. “As well as freeing up qualified security professionals to dedicate time to higher value tasks – from threat detection to business continuity planning – automation provides the road to accurate, trustworthy data. We need to prioritize the maturation of automation, metrics and risk management in order to help teams cope with heavy reporting workloads.”

In overcoming the issue of preventable breaches and frustrated security teams, only 44% of organizations are extremely confident in their ability to continuously measure their control gaps. Respondents have pointed to a lack of internal resources (39%), inability to evidence remediation (38%), ineffective tooling (34%) and poor control failure visibility (34%) as the reasons behind this lack of confidence.

However, 82% agree that monitoring and addressing expected controls failure and risk would likely have a bigger impact on their security posture than buying additional tools. This is particularly pertinent given the issue of tool sprawl – the two previous reports have found that it’s not uncommon for organizations to use more than 75 or even 100 security tools.

Awareness of how these control failures can be addressed is growing, with 88% of security leaders stating they are likely to implement a Continuous Controls Monitoring (CCM) platform in the next two years.

Other key findings from the report include:

• Nearly all (99%) security leaders are actively engaged in trying to benchmark their security metrics, policies and standards, but almost three-quarters (72%) admit they are not absolutely satisfied with their ability to do so currently
• Less than half of respondents are highly confident they are continuously evaluating best practice security metrics specifically aligned to their organizational size and industry
• Of the remainder, 47% simply don’t know the right metrics to monitor and 51% don’t have the resources to help them do it