IT professionals have plenty to worry about, according to recent survey results published by eIQNetworks. The survey, which asked 272 IT decision makers what keeps them up at night, shed some light on how much room some security teams have for improvement and why they're facing so many challenges in the first place.
Among the questions asked, the survey examined what was important to IT professionals, with 34 percent of respondents saying that their greatest information security nightmare would be an external data breach for financial gain. Similarly, the survey asked what the two biggest challenges to demonstrating compliance are, with 31 percent responding with measuring and reporting on compliance and 24 percent saying automating IT controls.
But perhaps more important were the numbers that indicated how teams' security measures were set up and how well they operated.
Among the highlights—or rather, lowlights—was the fact that 25 percent of respondents said they didn't know how long it would take to find the root cause of a breach. Even the ones that could provide a timeline weren't very reassuring, with 22.8 percent stating that it would take them within a month to find the cause (and 6.3 percent needing to go beyond a month).
"That's huge. Depending on the size, a significant enough breach could cost you your company," said Vijay Basani, president and CEO of eIQNetworks. "So it's very eye-opening."
"Even scarier is the 5 percent that said they wouldn't do anything at all," added Brian Anderson, eIQNetworks' Chief Marketing Officer.
And yet the difficulty these teams face in trying to find the root of a problem isn't too surprising given how lax many of them seem to be when it comes to monitoring their certain aspects of their systems. According to the survey, 34.6 percent of respondents monitor less than 25 percent of their end-user systems like desktops and laptops, while 51.8 percent do it for less than 25 percent of their mobile devices.
Also problematic is that these teams are often playing catch up rather than being proactive. Of the survey participants, 42 percent said that they react to an incident after the fact, as opposed to those that said they have some sort of proactive program in place that continuously monitors their IT environment for potential problems and policy violations.
The real-time monitoring is necessary, said Basani. "It's almost a vaccine-like structure. You're better off that way than waiting, and that's where the SANS 20 Controls come into play. You can figure out what's going on before bad things happen," he said, referring to the 20 key actions (critical security controls) developed by the SANS Institute.
Unfortunately, only 20 percent of respondents said that they intend to implement the SANS 20 critical security controls in the next 12 to 24 months. According to Basani, the numbers are low because implementing SANS security controls involves a huge educational process. Anderson then expounded on that notion, pointing out that a lack of well-trained security professionals makes implementation difficult.
"These teams remain blissfully ignorant of the potential threats and their solutions," said Anderson. "So instead, they stick to their old approach of marking off a couple check boxes for an audit once a year without even realizing that the SANS 20 is a possibility."
Another issue that could possibly explain why security teams are more likely to turn to the quicker, simpler solutions is that they're shorthanded; two-thirds of the respondents said that their security departments were understaffed. Why, then, is there such a staffing issue even in the face of looming threats?
"One thing you can point to here is that most security budgets have not been increased beyond the typical budget increases that companies implement despite the fact that security issues have escalated in the last few years," said Basani.
Equally problematic, said Anderson, was the shortage of available security professionals in the market. "They tend to be in very high demand," he said, adding that it was typically the larger, richer companies that ultimately snatch up such commodities. "So a small number of companies become the haves, while a large number of them become the have-nots."
The understaffed security departments make sense in a way, however, given that 36 percent of information security professionals claim that they meet either infrequently or not at all with business unit leaders to discuss their needs, a number that Basani says is indicative of the greater corporate attitude toward security.
"Executives don't really pay attention to security," he said, pointing out that security teams aren't generally appreciated within companies. "Executives, being part of the operations side of things, tend to want to keep things moving, so they just give lip service to security teams."
Basani went on to say that the statistic also goes beyond the pervasive indifferent attitudes toward security, as it's also an issue of executives not understanding that security poses a strategic advantage for their company. Anderson agreed, saying that IT and CEOs are no longer on the same page as far as the importance of security is concerned.
"About 10 years ago, security was among the top three priorities for both CEOs and IT," said Anderson, citing surveys conducted by Gartner at one of their past conferences. "Now those surveys are saying there's a shift in priorities. Security got bumped to the lower numbers because CEOs' priorities shifted towards classic issues like productivity, expansion, dealing with the economy, etc. [Security] remained a high priority for IT members though, because they realized security was the root of keeping everyone working, keeping their networks up and running, staying compliant for audits, and so forth."
Despite the lack of interest in security by those at the top, it's not all doom and gloom. What a lot of companies don't realize, according to Anderson, is that there are plenty of services available that can help security teams do their job, even if they're shorthanded. There are services now that can do a lot of the work for the teams automatically, such as monitoring end-user systems in real-time.
"The more education we can give to the average company, the better," said Anderson of the survey results. "An ounce of prevention is worth a pound of cure."