Woe is IT, the pain of risk management

As I’ve spoken with leaders in the security industry over the course of developing this blog, I’ve learned a lot about the modern CISO. More often, enterprises are looking to hire leaders who not only have a background in IT but also have the required business acumen to understand risk.

Risk assessment and risk management are key elements in a successful security strategy because the threat landscape continues to expand with the explosion of IoT. Devices are everywhere, and everyone is connecting to the network causing headaches for security management professionals.

LogMeIn recently polled 500 IT professionals on the array of challenges ongoing in their security threat landscape. Not surprisingly, cloud security, devices, and user behavior are some of the most often reported pain points for IT professionals.

Twenty years ago, the idea of getting into the clouds involved a vessel with wings, and the only glitch would have been some sort of turbulence. Now the move to the cloud is creating a whole new security standard. Cloud security has been reported as one of the least common security measures, yet over a third of the survey respondents said critical pieces of their business reside in the cloud. The challenge for IT comes with understanding how to protect that data.

[ ALSO ON CSO: Update to risk management framework should be taken seriously ]

As the use of devices continues to grow and more corporate offices transition to a BYOD environment, IT departments are confronted with discrepancies and balances between what systems they support and the devices folks are using. It’s critical for businesses to continue to evaluate their BYOD policies and provide guidelines around using two-factor authentication and connecting to public WiFi.

Most likely either time or resources is not on their side. Security is never top on the budget list because executives don’t want to pay for what they can’t see. Where most survey respondents are spending their money, though, is on firewalls (89 percent), anti-virus management software (86 percent) and employee training and policies (73 percent).

Still, security strategies today demand constant monitoring and evaluating of tools and policies. Only half of those surveyed audit anti-virus management software annually and a quarter have no timeframe planned for doing so.

That’s proof that security really comes down to money. While 41 percent of the respondents say that budget is the biggest threat to managing security, the majority of respondents (81 percent) said that less than a quarter of their IT budget is allocated for security management. That money is most often spent of activity monitoring, firewalls, and anti-virus management software.

Even though most security professionals know that employees often fall victim to online scams that result in downtime for the entire company, user training was not a high priority for 70 percent of survey respondents. Perhaps that’s because everyone is growing immune to the concern of being breached.

Really, when anyone makes reference to companies being breached, there are less than a handful of enterprise names that get tossed around even though breaches are increasingly common for everyone. Sure, organizations want more solutions and resources to help boost their security, but only 30 percent of respondents believe their company is likely to suffer a security breach or attack. That “it won’t happen to me” attitude hasn’t disappeared puts a lot more faith in technology than it does human behavior.

User training has to move up on the security management list so that awareness of risk stays at the forefront of people’s minds, even as technology continues to change. Of those surveyed, 86 percent of respondents said they are confident that their security measures are effective, and 30 percent believe there is nothing else they could do to protect their company.

Ongoing, purposeful, and relevant communication with everyone in the enterprise is one thing they can do that won’t dip into the security piggy bank. In order for security to evolve along with technology, teams must adopt a security-minded awareness to keep data breaches from affecting their system.