Survey finds dangerous gap in prevention
Enterprises are investing in technologies to mitigate attacks, and those investments align with many of most common attack vectors. But do they need to invest more in the processes around managing their security investments?
October 12, 2011 — CSO —
It's no big secret: contemporary attacks are levied over the Web; attackers will craft custom malware to slither past anti-malware defenses; and any business on any given day can be compromised. That's the reality of where information security stands today.
Clearly, enterprises are aware of this as investments in many defensive technologies moved up significantly year over year, according to the ninth annual Global Information Security Survey CSO conducted along with PwC, which questioned more than 9600 business and technology executives from around the world.
For example, Web content filtering was up 75% from 65% last year, secure browsers 72% from 62%, and web services security investments 62% from 55%. Similar results are true for intrusion detection/prevention tools, vulnerability scanners, as well as security event correlation software.
Enterprises are spending money on security technologies.
That's certainly good news (especially if you are a security vendor). However, as we noted in last month's cover story, What makes an infosec leader, organizations are not investing in the processes necessary to make certain those technologies are running in concert. For instance, only 43% of respondents have established centralized security information management processes.
And how's this: only 8% of those surveyed said increasing the focus on data protection was a top priority.
That's a dangerous and costly bifurcation. Without the right business processes around those technologies enterprises are lucky to gain much of their intended value.
Robbie Higgins, VP of security services at IT solution provider GlassHouse Technologies, isn't surprised. "One of the challenges a lot of security groups face is, still, justifying what they're doing. The problem is, a lot of the measures in security are qualitative more than they are quantitative, because there is that element of risk and probability," he says.
"It's not that they don't see some of the strategic side of things they need to do. They do. But they're still struggling getting to the blocking and tackling - the very basics of what needs to be done - and done right. Today, that's still their biggest priority," says Higgins.
"There are certain areas where there is great room for improvement," says Scott Crawford, managing research director at research firm Enterprise Management Associates. "Many companies make investments in lots of technologies, but they fail to cover the basics such as reading logs for potential breaches," he says.
The 2011 Verizon Data Breach Investigations Report backs what these experts are saying. That report shows that organizations often don't know for weeks, months, sometimes years after they've been breached. That study found that 86% of breached parties learned of their breach through notification from an external party, only 6% of breaches were uncovered through internal monitoring, such as reading security logs. "Clearly, businesses need to make better use of the data on their own networks," says Crawford.