Ponemon: Doubt Dogs IT On Security Tools, Spending

The Ponemon Institute shows how IT security staffs want better technology tools and better skill sets to ward off invasive threats.

Charles Babcock, Editor at Large, Cloud

February 10, 2017

6 Min Read
Credit: Ponemon Institute

A major new survey by the Ponemon Institute has found that over two-thirds of IT managers and security managers polled found some of their organization's existing security precautions either inadequate or out of date. Sixty-nine percent took that stance.

By a slightly smaller margin, 64%, they disagree with the statement that their organization "effectively reduces the inherent risk of unmanaged data." Likewise, 65% disagreed with a statement that their organizations were effectively managing "the inherent risk of unapproved applications."

In two other revealing findings, the institute found 53% of respondents said they needed but did not have a unified view of users across the enterprise, given a multiplicity of locations, applications and devices. Another 48% of respondents said their current security infrastructure "did not facilitate compliance and regulatory enforcement" with a centralized approach to controlling data.

The institute released the study Feb. 7 after surveying 4,268 IT managers and IT security practitioners in the U.S., Canada, Mexico, the U.K., the Netherlands, Germany, France, Australia, New Zealand, China, India, Japan, and Brazil. IT staffers in Korea and United Arab Emirates also participated. The study, The Need for a New IT Security Architecture: Global Study on the Risks of Outdated Technologies, was sponsored by Citrix Systems, and Citrix CTO Christian Reilly blogged on its conclusions here.

Want to learn more about the changing face of enterprise security? See Expert: Threats To Secure Cloud Operations Are Evolving.

The "outdated technologies" referred to were primarily the aging user access, monitoring and intrusion detection systems that companies typically use to keep their IT operations safe, but didn't necessarily exclude poorly maintained Windows and Linux operating systems or applications that include well recognized code vulnerabilities.

In addition to a unified view of users of IT systems, the respondents said their second top concern was maintaining an ability to keep up with attacks, a need cited by 48%. It was closely followed by a need to maintain visibility into all business-critical applications and systems, 43%.

The need for controls that spanned the enterprise might have been viewed as an unrealistic expectation, and garnered support from just 28%, as did ability to protect the security infrastructure while supporting business innovation. Another way of saying that is don't let the desire for rapid development and deployment compromise the need for security.

While 69% of the respondents agreed their organizations were running outdated security solutions, 49% also felt that their organizations "had the right policies and procedures in place to protect information assets."

The survey asked about "unmanaged data," without defining what it meant. But such a reference could easily refer to email, data and applications on employees' personal devices and use of social media inside the corporate network. Only 36% thought their company was effectively managing such data, and 35% thought unapproved applications were also effectively managed.

Getting back to the "ineffective" side of the ledger, 59% felt third parties and employees managed to bypass security policies when they were found to be "too complex." Less than half, 48%, thought their organization had policies that ensured employees and third parties were allowed access only to sensitive business information that was appropriate to their role.

Forty-two percent conceded that security policies probably hinder employee productivity and only 32% said they were confident employee-owned devices were not allowing criminals to access the corporate network or data.

Attitudes on the effectiveness of defenses tended to drop as the required sophistication of protective systems increased. Forty-nine percent agreed that denial of service attacks, browser exposures and ransomware incidents could be prevented. But that almost-a-majority dropped down to 40% when it came to the effectiveness of protecting sensitive applications and data, whether the data was at rest or in motion.  It dropped further to 37% when it came to the effectiveness of access control and multi-factor authentication systems, whether on premises or in the cloud.

Although the use of personal mobile devices ranked high as a risk, it was by no means the highest. The company's use of file and document collaboration tools was ranked higher as a concern to 66%. The cloud and cloud services likewise ranked higher, as a concern at 70%. The use of digital identities and whether those identities were 100% secure concerned 73%. And employees use of social media in the workplace lead the pack at 75%.

Other concerns centered on employees' use of their favorite cloud applications, 55%, and the company's use of IT virtualization technologies at 53%, the report said.

As for technologies that could be updated and lead to the reduction of security and privacy risks, an identity and access management system ranked at the top with 78%. Machine learning, trained to watch for signs of invasive events, ranked number two at 77%. Security information and event management systems (SIEM) and security intelligence systems was number three for 73%. Big data analytics was also judged an essential component, for 66%.

Use of virtual private networks, where data in motion only travels in an encrypted state, was important to 65% and enterprise file synchronization and sharing was a key service for 64%. Surprisingly, enterprise mobility management came in eighth as a key system for 60%.

Nine ways were ranked among the less tangible ways to improve security. The top one, at 72%, was improvement in the skills of the security staff; number two was improvement in technologies, including those listed above, named by 65%. Number three was an increase in security funding, named by 55%.

Also, a reduction in complexity was important to 49%; improvement in threat intelligence sharing was listed by 48%; better leadership on security issues, 46%; chance to minimize employee-related risk, 45%; reduction in the compliance  burden, 40%; and an increase in the support from the C-level executives was listed by 31%.

Even if the IT staff is given more dollars to improve the security skill set, the biggest hindrance to improving the overall security posture was the "inability to hire and retain expert staff," said 88% of the respondents.

Lack of funding itself was a complaint of 65%. Lack of suitable technologies followed closely on its heels at 64%. Inability to minimize employee-related risks was named by 53%. And lack of C-level executive support was a complaint of 50%.

The survey reached many high level IT managers at large companies. The average spend on IT security for the survey group this year will be $13 million. For 66% of them, this represents "a slight increase" in 2017over 2016. For 21%, it was a "significant increase." Thirty-five percent had experience no change in the security budget year over year, while 11% saw a slight decrease and 2% suffered a significant decrease.

The Ponemon Institute is noted for the breadth of its surveys and sometimes its ability to highlight a new trend in the data. This report, the second in a series of three, offers a snapshot of sorts of IT managers who sense they're not doing enough, given the threats that keep cropping up in major breaches. They want better technologies with which to fight the intruders and a better equipped staff. That they're not entirely happy with what they're getting may not be new, but perhaps in the current environment it's a good sign that they sense how much needs to be done and are thinking of ways to do it.

About the Author(s)

Charles Babcock

Editor at Large, Cloud

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive Week. He is a graduate of Syracuse University where he obtained a bachelor's degree in journalism. He joined the publication in 2003.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights