Information technology security practitioners are less confident about their cybersecurity readiness than they were 12 months ago, according to a new report from Tenable Network Security Inc.

The IT security firm’s “2017 Global Cybersecurity Assurance Report Card” surveyed 700 security professionals regarding a number of key indicators to come up with a global index score that reflects their ability to assess cyber-risks and mitigate those threats. The index for this year fell by six points compared to the year before, to an overall score of 70 percent, or grade “C.”

One of the main reasons for the drop in confidence comes from Tenable’s assessment of security practitioners’ risk assessment capabilities, which declined by 12 points. In the survey, Tenable asked practitioners about their risk assessment capabilities in 11 areas, such as cloud environment, endpoints and web servers. In most areas, the security pros achieved fairly mediocre scores, with the worst performances occurring in up-and-coming areas such as containers and DevOps environments, both of which got failing grades.

The survey showed there were some large regional variations in cybersecurity readiness, however. In India, security practitioners received an overall grade “B,” the best in the world, compared with Japan’s miserable overall grade “F.” Security pros in the U.S. achieved an overall grade “C+,” which was slightly above the global average.

“Today’s network is constantly changing — mobile devices, cloud, IoT, Web apps, containers, virtual machines — and the data indicate that a lot of organizations lack the visibility they need to feel confident in their security posture,” Cris Thomas, a strategist at Tenable Network Security, said in a statement. “It’s pretty clear that newer technologies like DevOps and containers contributed to driving the overall score down, but the real story isn’t just one or two things that need improvement, it’s that everything needs improvement.”

To back up those claims, Tenable points to the rather dismal score its respondents achieved in cloud computing. A majority of organizations are still struggling to get to grips with the risks of running their IT infrastructure in the cloud, Tenable said. Assessing organizations’ ability to assess risk in Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service environments, Tenable said the average grade was “D-,” or 60 percent, which is seven points less than a year ago. Similarly, confidence in mobile risk assessment fell by eight points to 57 percent.

Tenable also asked IT pros about challenges that impact their readiness, and found that the overwhelming cyber-threat environment and low awareness of cybersecurity among employees were the biggest.

Despite the generally worrying assessment from Tenable, security practitioners indicated they were confident about their organization’s ability to improve their scores. Almost 65 percent of respondents said they were “somewhat optimistic” or “significantly optimistic” about their organization’s ability to ward off potential cyberattacks in 2017.