It's no big secret: contemporary attacks are levied over the Web; attackers will craft custom malware to slither past anti-malware defenses; and any business on any given day can be compromised. That's the reality of where information security stands today.
Clearly, enterprises are aware of this as investments in many defensive technologies moved up significantly year over year, according to the ninth annual Global Information Security Survey CSO conducted along with PwC, which questioned more than 9600 business and technology executives from around the world.
For example, Web content filtering was up 75% from 65% last year, secure browsers 72% from 62%, and web services security investments 62% from 55%. Similar results are true for intrusion detection/prevention tools, vulnerability scanners, as well as security event correlation software.
More results and analysis from GISS 2011
Enterprises are spending money on security technologies.
That's certainly good news (especially if you are a security vendor). However, as we noted in last month's cover story, What makes an infosec leader, organizations are not investing in the processes necessary to make certain those technologies are running in concert. For instance, only 43% of respondents have established centralized security information management processes.
And how's this: only 8% of those surveyed said increasing the focus on data protection was a top priority.
That's a dangerous and costly bifurcation. Without the right business processes around those technologies enterprises are lucky to gain much of their intended value.
Robbie Higgins, VP of security services at IT solution provider GlassHouse Technologies, isn't surprised. "One of the challenges a lot of security groups face is, still, justifying what they're doing. The problem is, a lot of the measures in security are qualitative more than they are quantitative, because there is that element of risk and probability," he says.
"It's not that they don't see some of the strategic side of things they need to do. They do. But they're still struggling getting to the blocking and tackling - the very basics of what needs to be done - and done right. Today, that's still their biggest priority," says Higgins.
"There are certain areas where there is great room for improvement," says Scott Crawford, managing research director at research firm Enterprise Management Associates. "Many companies make investments in lots of technologies, but they fail to cover the basics such as reading logs for potential breaches," he says.
The 2011 Verizon Data Breach Investigations Report backs what these experts are saying. That report shows that organizations often don't know for weeks, months, sometimes years after they've been breached. That study found that 86% of breached parties learned of their breach through notification from an external party, only 6% of breaches were uncovered through internal monitoring, such as reading security logs. "Clearly, businesses need to make better use of the data on their own networks," says Crawford.
Brian Honan, founder of Dublin, Ireland-based information security consultancy BH Consulting and Founder and lead of Ireland's first Computer Emergency Response Team says another area where many organizations have a process gap that needs to be filled is incident response. "You'd think with all of the talk around advanced persistent threats, and the string of high-profile breaches in the past year, that organizations would be preparing their ability to identify and respond to breaches better, but they're not," says Honan. "Most organizations do not have comprehensive incident response plans in place," he says.
"To this day we are surprised when we go and meet with new clients and they can speak very intelligently about what they want to do from a security perspective, and what their vision is, and how they want to get there," says Higgins. "But when you take a look at what they're actually doing, there's a big gap between where they are and where they want to be. In some cases, it's a canyon," he says.