TREND 4
Security Hygiene and the On-going Impact of Control Failures
Limited visibility has made control failures one of the most common causes of security breaches over the past six years.
Almost all enterprise organizations have experienced a breach directly linked to control failures.
Security Leaders Peer Report, 2025
In 2019, almost all (89%) of security leaders from large enterprises said they were concerned about a lack of visibility into their security posture – and in 2022, 82% told us they were caught off-guard by a breach that evaded controls they believed were in place.
By 2025, a staggering 84% of enterprise organizations experienced breaches directly linked to control failures, wiping out an estimated 62% of cybersecurity budgets in recovery costs.
Our evidence suggests that organizations are struggling to properly implement and manage a high standard of security hygiene, leaving valuable data and services vulnerable to preventable breaches.
Faced with an overwhelming number of incidents, some security leaders appear to have accepted that control failures are an unavoidable reality. Over one third (38%) of security leaders surveyed in 2023 said that they have accepted the risk of control failures – a mindset most likely driven by the overwhelming volume of incidents and vulnerabilities, forcing teams into a reactive mode.
But this reactive approach to control failures and security hygiene can change. With more stringent regulation driving the need for effective controls assurance and oversight, CISOs will finally have the insights they need to take proactive, preventive measures that keep their organizations secure.
Over one third of CISOs have come to accept the risk of control failures.
Security Leaders Peer Report, 2023
Case study Using data to promote foundational security hygiene
On the surface, security hygiene looks like a simplified problem. But when you start to expand it up and you layer on the technology complexity, the politics, the people, the everything else, you end up in a really interesting place where you’ve got to start pulling on a lot of levers to ensure that you get it right.
We’ve taken [an] approach across all of our control framework. It’s really about collecting as much data as you can, processing it in a meaningful way and then putting it in front of the right people to allow them to do the right things and then really celebrating their success.
David Ferguson
Deputy CISO, ex Bank of England
Why control failures are the cybersecurity industry's dirty little secret
Watch the webinar
“98% of attacks that we see could be prevented with cyber hygiene.”
Stuart Aston, Microsoft
For almost all organizations, the problem isn’t the tools and controls themselves. They have all they need to achieve a good level of cyber hygiene. The real challenge, as we’ve seen in the data, is the deployment of these controls are prone to drift, gaps, and failures.
As Stuart Aston, National Security Officer at Microsoft UK, describes, “98% of attacks that we see could be defeated with cyber hygiene. And that’s across the 23 trillion signals we see every single day at Microsoft”.
To break-free from reactive cycles, security teams must adopt a data-drive approach. An established security metrics and monitoring program would help organizations monitor and strengthen security controls, continuously.
TL;DR What this means for security leaders
- Foundational cybersecurity hygiene isn’t just having the basics in place – it’s also knowing that tools and controls are operational all the time.
- The best way to understand if controls are deployed correctly – and therefore preventing 98% of security breaches – is to monitor their effectiveness continuously.
- Monitoring controls continuously means implementing a Continuous Controls Monitoring (CCM) program.
