Nearly two out of three U.K.-based IT and security decision makers say their security programme is continuously reactive, rather than proactive, according to a new research report.

Conducted on behald of Optiv, the report suggest that constantly changing legislation, threats, and other external factors, IT and security decision makers unable to get ahead of cyber threats.

The report, “Enterprise Attitudes to Cybersecurity: Tackling the Modern Threat Landscape,” concludies that 58 per cent of IT leaders find it challenging to get board buy-In for cybersecurity programmes.

“Security teams that focus purely on the external threat are being left behind by the pace of business and digital change,” said Simon Church, Optiv’s general manager and executive vice president, Europe.

“Many organisations are still married to the antiquated outside-in model, which is predicated on buying security technologies based on the latest trends and vulnerabilities in a problem and response manner.

“This approach allows the landscape, rather than enterprise objectives, to dictate security infrastructure and operations, and often ignores the other important elements of a successful security programme - people and process.”

The research, conducted via online interviews with 100 U.K.-based IT and security decision makers at enterprise businesses, identified that more than a quarter of respondents believe their security works extremely well, but increasingly, enterprises don’t just want effectiveness.

When asked how much emphasis businesses would place on different factors if they could rebuild their programmes from scratch, respondents said they would put 32 per cent of their focus on simplicity, a 9 percent increase over current state.