Study: Are IT security managers too confident?

Study: Are IT security managers too confident? Image by Pete Linforth on Pixabay

Share post

While traditional IT teams in companies clearly support external experts, the majority of internal IT security managers reject outside help. But can security teams afford this or are they overconfident? An enlightening study from Trend Micro.

The role of cybersecurity in the business context has undergone a significant shift: once seen as a deterrent, it is increasingly recognized as a catalyst for digitalization and business development. This emerges from a study that Trend Micro carried out together with the Brandenburg Institute for Society and Security (BIGS). Although companies now recognize the importance of IT security for business success, the study reveals a surprising discrepancy: 56,9 percent of the company's own IT teams believe it is necessary to use the expertise of external security specialists, but only 14,7 percent of IT do Security managers share this view. An overestimation of oneself?

Does this result reflect excessive trust among those responsible for internal IT security in the capabilities of their own department? One might assume so. Almost half of CISOs rate the risk of a cyber attack on their company in the next twelve months as high or even very high. So why do they hardly want to ask for help from outside?

Possible reasons for rejecting external security expertise

The reasons why the CISO rejects external support are of great importance for company management. If in-house security managers actually overestimate their capabilities, there is a high risk that security gaps will arise. The study sees a possible explanation for the skepticism towards managed security services in the fact that in-house IT security managers are reluctant to give up responsibility or accept external influences in their work area. In addition, negative experiences could be responsible and expensive external consultants could not prevent a cyber attack in the past. BIGS states that another reason is that, after a known incident, companies are flooded with inquiries from IT security service providers and lose track of the multitude of offers and become tired of making decisions.

IT security teams are overloaded

The requirements for a comprehensive security concept are constantly increasing. Cybercriminals are increasingly organizing themselves entrepreneurially and pursuing cutting-edge attack strategies, while IT infrastructures are becoming increasingly complex and difficult to monitor. These developments require a holistic protection approach that can only be met by complex security technologies. It is not enough for companies to invest in acquiring leading cybersecurity solutions. To integrate these into a holistic security approach, they must be carefully configured, professionally managed and monitored around the clock. This puts a lot of strain on the IT teams – not least mentally. The global skills shortage, which according to a current (ISC)2 study in cybersecurity is estimated at 3,4 million missing experts, is also increasing the overload in the industry.

Economic reason recommends security service providers

In the study paper, BIGS warns of the negative consequences of overestimating oneself. “It is becoming increasingly difficult to have an overview of all company areas in the necessary depth,” says Dr. Tim Stuchtey, Managing Director of BIGS. “It is obvious to me that medium-sized companies cannot have the necessary expertise in-house in all eventualities. Nor should they for economic reasons. Rather, it is important to have the expertise to identify the right service providers for the challenges ahead.”

Advantages of Managed Security Services

Hannes Steiner, Vice President Germany at Trend Micro (Image: Trend Micro).

If IT security managers could decide to provide managed security services to the in-house IT department, this would have advantages that should not be underestimated: the internal team is relieved and can concentrate on its core tasks again. The security service providers are available 24/7 and are familiar with the latest attack patterns, global contexts and are able to identify threats across company boundaries. The in-depth knowledge of security analysts is invaluable, especially in the event of a cyber attack.

“To protect themselves from modern attacks, companies not only need first-class detection and response, but also have to proactively position themselves in such a way that the probability of an attack decreases,” says Hannes Steiner, Vice President Germany at Trend Micro. “A proactive security strategy begins with a continuous risk assessment that saves resources and uses them exactly where they are needed. With a renowned security partner at their side, companies can overcome these challenges with little effort on their own.”

Background to the study

The market research company Mindfacts surveyed 300 senior IT and IT security executives in companies with more than 250 employees from various industries on behalf of Trend Micro. 30 percent each of the participants come from the healthcare sector and from authorities. The survey took place in September and October 2022. Based on the results, the Brandenburg Institute for Society and Security BIGS carried out an empirical analysis. It examined connections and determined, among other things, which factors lead to more strategic or reactive investments in IT security.

More at


About Trend Micro

As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.


Matching articles on the topic

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more

Digital Security: Consumers trust banks the most

A digital trust survey showed that banks, healthcare and government are the most trusted by consumers. The media- ➡ Read more

Darknet job exchange: Hackers are looking for renegade insiders

The Darknet is not only an exchange for illegal goods, but also a place where hackers look for new accomplices ➡ Read more

Solar energy systems – how safe are they?

A study examined the IT security of solar energy systems. Problems include a lack of encryption during data transfer, standard passwords and insecure firmware updates. trend ➡ Read more