Money, Skills, And Hired Guns: 2014 Strategic Security Survey - InformationWeek
IoT
IoT
Data Management // Big Data Analytics
News
5/12/2014
09:36 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Money, Skills, And Hired Guns: 2014 Strategic Security Survey

Tight budgets. A manpower crunch. More -- and more sophisticated -- threats. Are you sure you're up to this?

Download the new issue of InformationWeek Tech Digest, distributed in an all-digital format (registration required).

Enterprises outsource everything from server hosting to application development. Why not security? Look for this year to mark the start of a new era in information security, where organizations that can afford to build sophisticated analysis teams do so, and those that can't hire specialized providers.

It's not that information security pros feel their efforts are falling short. Just 16% of the 536 respondents to our 2014 Strategic Security Survey say their organizations are more vulnerable to attacks than they were a year ago. The problem is that the status quo isn't acceptable: 23% of respondents admit to a known security breach or espionage in the past year, ticking up two points from 2013.

Winston Churchill once said, "If you're going through hell, keep going." Good advice, but hard to follow when every piece of malware or end-user mouse click could launch the breach that ends your business, and your job. IT security is not a needle-in-a-haystack problem. It's a needle-in-a-needle-stack problem. Thousands of attacks come at you each day. How do you keep up, much less allot a few hours to think about defensive technologies or how to explain the latest zero-day advanced persistent threat to executives who, even after a breach brought down Target CEO Gregg Steinhafel, still spend on security only grudgingly?

Money, Skills, And Hired Guns
Among respondents who feel they're more vulnerable this year, 40% cite budget constraints as a contributing factor -- up a notable 10 points from 2013. But bigger problems for these shops are the increased sophistication of threats (77%) and that there are more ways than ever to attack a corporate network (66%). Among all survey respondents, only 5% are cutting IT security spending, compared with 37% increasing and 47% staying the same. Clearly, the issue isn't just, or even mostly, about cash to spend on technology. It's about finding the right people, advanced attackers, and a warped way of measuring success.

Our survey shows that even in 2014, with record breaches and threats, the top way organizations measure the value of their security investments is by whether they pass a third-party audit. So in other words, it's still only a need to check the boxes driving security investment.

But before we all bash executives, let's look at it from their point of view because frankly, investing significant money in security is no guarantee of good results.

First off, your typical enterprise security team is its own worst enemy. "The biggest area of concern isn't security itself, it is the balance between security and the ability to allow for business to continue," says one respondent. "We sometimes add in too much security, which hinders the business from operating, and vice versa, which creates major security risks."

If you cause a business slowdown when implementing a security control, you take one step forward and three back in executives' minds.

Given a low perceived return on investment, many executives see a binary decision: Build the minimum viable security practice as cheaply as possible internally, or outsource.

Rread the rest of this story in the new issue of
InformationWeek Tech Digest.

 

Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IMjustinkern
50%
50%
IMjustinkern,
User Rank: Strategist
5/12/2014 | 3:28:39 PM
Re: Surprises
Hmmm ... an interesting prospect, Michael. I just worry about adding another layer/tunnel for data. How do you reconcile the propensity for folks to sidestep extra layers? Or for the problems stemming from extra connections (read: Target HVAC guy)?
Laurianne
50%
50%
Laurianne,
User Rank: Author
5/12/2014 | 1:09:42 PM
Surprises
Mike, you have a long-term perspective on security spending and staffing. What if anything surprised you in this year's data?
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Success = Storage & Data Center Performance
Balancing legacy infrastructure with emerging technologies requires laying a solid foundation that delivers flexibility, scalability, and efficiency. Learn what the most pressing issues are, how to incorporate advances like software-defined storage, and strategies for streamlining the data center.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll