Enterprises outsource everything from server hosting to application development. Why not security? Look for this year to mark the start of a new era in information security, where organizations that can afford to build sophisticated analysis teams do so, and those that can't hire specialized providers.
It's not that information security pros feel their efforts are falling short. Just 16% of the 536 respondents to our 2014 Strategic Security Survey say their organizations are more vulnerable to attacks than they were a year ago. The problem is that the status quo isn't acceptable: 23% of respondents admit to a known security breach or espionage in the past year, ticking up two points from 2013.
Winston Churchill once said, "If you're going through hell, keep going." Good advice, but hard to follow when every piece of malware or end-user mouse click could launch the breach that ends your business, and your job. IT security is not a needle-in-a-haystack problem. It's a needle-in-a-needle-stack problem. Thousands of attacks come at you each day. How do you keep up, much less allot a few hours to think about defensive technologies or how to explain the latest zero-day advanced persistent threat to executives who, even after a breach brought down Target CEO Gregg Steinhafel, still spend on security only grudgingly?
Money, Skills, And Hired Guns Among respondents who feel they're more vulnerable this year, 40% cite budget constraints as a contributing factor -- up a notable 10 points from 2013. But bigger problems for these shops are the increased sophistication of threats (77%) and that there are more ways than ever to attack a corporate network (66%). Among all survey respondents, only 5% are cutting IT security spending, compared with 37% increasing and 47% staying the same. Clearly, the issue isn't just, or even mostly, about cash to spend on technology. It's about finding the right people, advanced attackers, and a warped way of measuring success.
Our survey shows that even in 2014, with record breaches and threats, the top way organizations measure the value of their security investments is by whether they pass a third-party audit. So in other words, it's still only a need to check the boxes driving security investment.
But before we all bash executives, let's look at it from their point of view because frankly, investing significant money in security is no guarantee of good results.
First off, your typical enterprise security team is its own worst enemy. "The biggest area of concern isn't security itself, it is the balance between security and the ability to allow for business to continue," says one respondent. "We sometimes add in too much security, which hinders the business from operating, and vice versa, which creates major security risks."
If you cause a business slowdown when implementing a security control, you take one step forward and three back in executives' minds.
Given a low perceived return on investment, many executives see a binary decision: Build the minimum viable security practice as cheaply as possible internally, or outsource.
As CounterTack's CTO, Michael Davis is responsible for driving the advancement of CounterTack's revolutionary endpoint security platform, as well as leveraging his visionary approach to push defenders ahead of attackers. He has earned a reputation as one of the nation's ... View Full Bio
6 Tools to Protect Big DataMost IT teams have their conventional databases covered in terms of security and business continuity. But as we enter the era of big data, Hadoop, and NoSQL, protection schemes need to evolve. In fact, big data could drive the next big security strategy shift.
Big Data Brings Big Security ProblemsWhy should big data be more difficult to secure? In a word, variety. But the business won’t wait to use it to predict customer behavior, find correlations across disparate data sources, predict fraud or financial risk, and more.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.