Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
Michael A. Davis
May 12, 2014
3 Min Read
Download the new issue of InformationWeek Tech Digest, distributed in an all-digital format (registration required).
Enterprises outsource everything from server hosting to application development. Why not security? Look for this year to mark the start of a new era in information security, where organizations that can afford to build sophisticated analysis teams do so, and those that can't hire specialized providers.
It's not that information security pros feel their efforts are falling short. Just 16% of the 536 respondents to our 2014 Strategic Security Survey say their organizations are more vulnerable to attacks than they were a year ago. The problem is that the status quo isn't acceptable: 23% of respondents admit to a known security breach or espionage in the past year, ticking up two points from 2013.
Winston Churchill once said, "If you're going through hell, keep going." Good advice, but hard to follow when every piece of malware or end-user mouse click could launch the breach that ends your business, and your job. IT security is not a needle-in-a-haystack problem. It's a needle-in-a-needle-stack problem. Thousands of attacks come at you each day. How do you keep up, much less allot a few hours to think about defensive technologies or how to explain the latest zero-day advanced persistent threat to executives who, even after a breach brought down Target CEO Gregg Steinhafel, still spend on security only grudgingly?
Money, Skills, And Hired Guns
Among respondents who feel they're more vulnerable this year, 40% cite budget constraints as a contributing factor -- up a notable 10 points from 2013. But bigger problems for these shops are the increased sophistication of threats (77%) and that there are more ways than ever to attack a corporate network (66%). Among all survey respondents, only 5% are cutting IT security spending, compared with 37% increasing and 47% staying the same. Clearly, the issue isn't just, or even mostly, about cash to spend on technology. It's about finding the right people, advanced attackers, and a warped way of measuring success.
Our survey shows that even in 2014, with record breaches and threats, the top way organizations measure the value of their security investments is by whether they pass a third-party audit. So in other words, it's still only a need to check the boxes driving security investment.
But before we all bash executives, let's look at it from their point of view because frankly, investing significant money in security is no guarantee of good results.
First off, your typical enterprise security team is its own worst enemy. "The biggest area of concern isn't security itself, it is the balance between security and the ability to allow for business to continue," says one respondent. "We sometimes add in too much security, which hinders the business from operating, and vice versa, which creates major security risks."
If you cause a business slowdown when implementing a security control, you take one step forward and three back in executives' minds.
Given a low perceived return on investment, many executives see a binary decision: Build the minimum viable security practice as cheaply as possible internally, or outsource.
Rread the rest of this story in the new issue of
InformationWeek Tech Digest.
About the Author(s)
CTO of CounterTack
Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of entrepreneurship earned him a spot on BusinessWeek's "Top 25 Under 25"
list, recognizing his launch of IT security consulting firm Savid Technologies, one of the fastest-growing companies of its decade. He has a passion for educating others and, as a contributing author for the *Hacking Exposed* books, has become a keynote speaker at dozens of conferences and symposiums worldwide.
Davis serves as CTO of CounterTack, provider of an endpoint security platform delivering real-time cyberthreat detection and forensics. He joined the company because he recognized that the battle is moving to the endpoint and that conventional IT security technologies can't protect enterprises. Rather, he saw a need to deliver to the community continuous attack monitoring backed by automated threat analysis.
Davis brings a solid background in IT threat assessment and protection to his latest posting, having been Senior Manager Global Threats for McAfee prior to launching Savid, which was acquired by External IT. Aside from his work advancing cybersecurity, Davis writes for industry publications including InformationWeek and Dark Reading. Additionally, he has been a partner in a number of diverse entrepreneurial startups; held a leadership position at 3Com; managed two Internet service providers; and recently served as President/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.
You May Also Like
Evaluation Guide: How to Choose a Network Monitoring Tool
The Total Economic Impact™ Of Fortinet NGFW For Data Center And AI-Powered FortiGuard Security Services Solution Study
5 key areas for improved automation in InfoSec compliance
Key Lessons for Enterprise Service Management
2023 Cloud Security Report