The financial services industry dropped to second in the TenableNetwork Security annual cybersecurity scorecard, which alsorevealed risk assessment for cloud and mobile among the world’sbiggest enterprise security weaknesses.

Columbia, Md.-based Tenable’s 2017 Global CybersecurityAssurance Report Card surveyed more than 700 IT securitypractitioners in nine countries and across seven industry verticalsto calculate a global index score reflecting overall confidencethat cyberdefenses are meeting expectations. The overall result forall surveyed: 70%, an unremarkable C.

“Today’s network is constantly changing, mobile devices, cloud,IoT, web apps, containers, virtual machines, and the data indicatesthat a lot of organizations lack the visibility they need to feelconfident in their security posture,” Cris Thomas, strategist,Tenable Network Security, said. “It’s pretty clear that newertechnologies like DevOps and containers contributed to driving theoverall score down, but the real story isn’t just one or two thingsthat need improvement, it’s that everything needs improvement.”

Retail took the lead this year from financial services and telecom, which in 2016tied for first place among industries surveyed with an overallreport card score of 81% (B-). This year, six of the seven overallindustry scores fell, with telecom experiencing the mostsignificant drop, down 11 points to 70% (C-) followed closely byfinancial services, down nine points to 72% (C-).

The single biggest drop in risk assessment this year is webapplications, which fell 18 points from 80% (B-) in 2016 to 62%(D-) in 2017. The ability to access these services online and frommobile phones puts them right at users’ fingertips, but alsocreates new security challenges. “If application-centric securityis the future, we have a long way to go,” the scorecard reportsaid.

The assurance reports card revealed the constantly evolving andmultiplying threat landscape — cited for the second year in a rowas the number one challenge for security pros — heightenedtechnological complexity and creating even more opportunity forattackers to exploit gaps in security coverage. This leaves allorganizations vulnerable to compromise and breach, regardless ofthe size of their security investments.

The report found accelerated adoption of cloud and mobile computing,combined with the emergence of DevOps, where software teamscollaborate through increased consistency and automation practices,and containerization platforms, virtualization methods used toaccelerate innovation cycles and reduce time-to-market, increasedthe complexity and decentralization of enterprise IT. This makes itharder for security teams to see everything on their networks andaccurately assess cyberrisks.

Additional concerns centered on low-security awareness amongemployees and the lack of network visibility, particularly in theuse of bring-your-own-devices and shadow IT, technology used insideorganizations without explicit authorization.

The U.S. grade dropped from a B- in 2016 to a C+, indicatingless confidence when it comes to cybersecurity assurance. Althoughthe overall score in the U.S. dropped by two points, it is stillwell above the 70% global average. When it comes to securityassurance in the U.S., the highest grades achieved were formeasuring security effectiveness (A-) and conveying risks toexecutives and the board (B+). However, the U.S. showed poorperformance when it comes to being able to assess the risk of newertechnologies such as containerization platforms (F), and DevOps (D)and IT security pros admit they still don’t have a handle onmanaging the risks associated with mobile devices (D).

Other key global findings:

• Cloud software as a service and infrastructure as a servicewere two of the lowest scoring risk assessment areas in the 2016report. For the 2017 survey those new cloud environments, combinedwith platform as a service component, scored 60% (D-), aseven-point drop compared to last year’s average for IaaS andSaaS.
• Risk assessment for mobile devices, identified alongside IaaSand SaaS in last year’s report as one of the biggest enterprisesecurity weaknesses, dropped eight points from 65% (D) to 57%(F).