Something we're seeing a lot of these days: CSOs displaying plenty of knowledge about the threats out there, but little clue as to how those threats might be in play within their environments. The latest example is in a newly-released report based on a survey of 100 information security executives from enterprises with revenues greater than $100 million.

Let's review the high points, then I'll tell you why, in my humble opinion, this isn't such a bad thing.

Security vendor CounterTack commissioned the survey for use in its "Cyber-readiness Reality Check" report. The survey was conducted online within the United States between June 13 and 20 by ResearchNow. Three-quarters of respondents were CISOs or CSOs. The remaining quarter filled senior-level security roles within their organizations, including IT security engineers, information assurance analysts, security systems administrators, senior IT security consultants or security architects.

Among the findings:

--Nearly half of respondents said their organizations have been attacked within the past year.

--A third of those attacked lack confidence in their organizations’ readiness to defend against further aggression.

--84 percent said their organizations are vulnerable to advanced persistent threats (APTs) targeting intellectual property or other critical organizational assets.

--44 percent admitted a lack of time and resources when it comes to dealing with such threats.

--Four out of five respondents said enterprises could benefit from adopting a military-style approach to security learned from physical battlefields, such as situational awareness and intelligence gathering.

--But only 21 percent credited themselves with currently taking a “warrior” stance to cyber defense, using intelligence and real-time situational awareness tactics learned from the military, compared to 58 percent who indicated taking more of a “protector” role when it comes to defending organizational assets.

--Despite the willingness of some security executives to explore new solutions, static, perimeter-centric tools like firewalls remain the most relied-upon security products and nearly one-third of security teams spend more than 50 hours a month studying existing malware permutations to prevent future attacks.

--36 percent said that if an attacker got inside their perimeter defenses and into their networks, they would not be able to see or stop the attack. When asked to grade themselves at discovering in-progress attacks quickly enough to mitigate damage and prevent catastrophic loss, respondents were more likely to give themselves a “C” instead of an “A.”

I spent some time on the phone this morning with Neal Creighton, CEO of CounterTack. He said organizations need to recognize that advanced, targeted attacks have moved inside the virtual walls of their networks and that a more anticipatory posture in the face of eventual attacks is required. "What we think it's all about is the intelligence," he said. "If you know the attack is there you can shut it down. If you can shorten the window attackers have to work with, you can make it not worth their time to target you. Then they'll move on to the next target."

The press release announcing the findings includes this quote from someone I've known and respected for a long time:

“This survey corroborates the anecdotal evidence many of us in the industry are exposed to, which paints a chillingly accurate picture of a growing chasm between executive awareness about the nature of rapidly evolving threats and the available resources to address them,” said Richard Stiennon, chief research analyst, IT-Harvest. “While the willingness of information security executives to explore new ways of dealing with targeted advanced threats in the coming months is an encouraging finding, it’s also evident that economic constraints and outmoded thinking will remain stumbling blocks.”

A few observations:

--This is a vendor-commissioned survey designed to emphasize the "effectiveness" of CounterTack's products vs. "ineffective" products from other vendors. I don't fault them for this. All vendors do it, all the time. But the vendor story is never the whole story. Therefore, the overall tone should be taken with a grain of salt.

--That CSOs are clueless about their company's situational awareness is old news. Every CSO I talk to admits on the record that their company can't stop every attack from happening. The threat is simply too vast.

--The best they can do it put the most ironclad walls around the most important company assets and have a solid response plan in place to get through a data breach with the least amount of damage possible.

--A lot of companies try to throw money at the problem instead of stopping to think about how they'd react in the face of a breach, and they're the ones who find themselves in trouble when it hits the fan.

All that said, the military-style situational awareness approach suggested in the report is interesting. So I end with this question: Are any of you taking that approach? If so, what are the strengths and weaknesses?