Study shows those responsible for security face mounting pressures

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/news/2014/021114-study-shows-those-responsible-for-278647.html?source=nww_rss

According to a recent study, security-related pressures in IT have climbed
steadily year-over-year, as security professionals face the constant strain
that comes with defending their organization's network and data from
assortment of threats from all sides.

The data comes from Trustwave's 2014 Security Pressures report, which was
provided to CSO Online exclusively ahead of its publication next week. In
an attempt to understand the variety of pressures that those working in
InfoSec face, Trustwave spoke to 833 security decision makers about the
topic, including CIOs, CISOs, and IT Directors / Managers in the U.S., the
U.K., Canada, and Germany.

Depending on where the respondent lived, the level of pressure experienced
varied. In the U.S., 65 percent of the respondents said they expect to feel
more strain this year, compared to the 43 percent in Germany who expected
to feel an increase in stress.

Yet, when the data from 2013 is included, professionals in both locations
reported a year-over-year increase perceived pressures, and Germany had the
largest gain -- jumping from 33 percent in 2013 to 43 percent in 2014. In
comparison, the U.S. had a three percent increase, the U.K. showed a four
percent increase, and Canada reported a seven percent bump.

CSO Online spoke to Trustwave's Leo Cole, the General Manager of Security
Solutions, and Chris Pogue, Director of Incident Response and Forensics
about the study. One of the first questions asked of them addressed the
source of the respondent's stress.

Last year, the media was flooded with reports of data breaches, new attack
vectors, and threats of various types. Recently, 2014 was off with the news
of a security incident at Target that impacted come 70 million customers.
So is the increase in pressure reported by the study's respondents based on
the uptick in security-related news coverage, or is it something else?

"When we speak to CIOs, CISOs, IT Managers/Directors, we almost always hear
that their Board of Directors has asked them what they are doing to protect
the companys valuable information. When the Board asks questions, there is
more pressure. However, security has been a board-level issue for some
time," Cole explained.

Today, the difference is in the type of questions being asked by the board.
It used to be a matter of answering the question, 'what are we doing to
prevent data loss?" Now, the question is focused on the fact that data
breaches and other security incidents keep happening despite the purchase
of products and solutions that are supposed to prevent them. So the
question of "what are we doing?" has become "why does this keep happening?"
and "what are we doing to make sure we don't get breached next?"

"The Board is taking the questions to a whole new level and creating a more
sophisticated conversation surrounding security. As a result, the in-house
CIO feels more pressure because not only does he have to say, 'I bought
this security technology,' but also 'I bought this security technology and
it will work,'" Cole added.

Asked the same question, Pogue felt the pressures were a mix of things,
from news coverage, to the expanding scale of breaches, and a seemingly
endless wave of attacks on all levels, from all sides.

"Security is like car insurance. People buy it hoping they will never have
to use it," he said.

"What do they get in return for their money? Help with protecting their
valuable data from getting into the wrong hands. In light of the recent
media coverage of data breaches, the 'what if' scenario is getting more
attention. Now, it's no longer 'what if I get hacked,' it's 'what if I'm
next?' It's now more real. The threat hasn't changed. The attackers haven't
changed. What has changed is the public perception and the subsequent fear
brought on by possibly being the next big breach."

When it comes to the types of threats and risks that generate the most
pressure, the respondents in the U.S. (68 percent) and Canada (63 percent)
said targeted malware, while the U.K. (64 percent) and Germany (60 percent)
singled out Phishing and Social Engineering. That isn't to say that
targeted malware isn't a concern for them, as it ranked close second in the
U.K. and was listed as third in Germany.

Either way, the answers are interesting. In this case, targeted malware
includes attacks that profile the victim and use multiple methods in order
to get access to data that's to be compromised. However, only 49 percent of
the respondents in the U.S. listed viruses and worms as a threat that
generates the most pressure, along with 36 percent in Canada.

In fact, Germany and the U.K., didn't view them as problematic either.
Moreover, none of the respondents ranked zero-day vulnerabilities as a top
concern, despite the fact that targeted malware will often leverage all
three of these attack surfaces during a given incident, as criminals will
do whatever they can in order to assure success.

When it comes to an incident's aftermath, customer data theft tops the list
of worries, with 58 percent of the respondents picking this concern over IP
theft, reputation damage, or fines and legal action. However, despite
current events, and the growing attention given to security incidents over
the last few years, five percent of the respondents felt that their
organization was completely safe from security incidents, and thus had no
concerns.

"Oftentimes, we speak to business leaders who simply dont think they are a
target. They dont realize the wealth of information they have and how
valuable that information is to a criminal," Cole explained, when asked for
an opinion on the five percent, and how such a belief could exist these
days.

"Or, quite simply, they think they have nothing worth taking (which most
likely isn't true). However, even if that is the case, where the attackers
target a business that may not have data they can profit from, they can
still use that business as a pivot point into other organizations," Pogue
added.

Still, 58 percent of the respondents overall cited customer data loss as
the top pressure point during an incident's aftermath, but is this just a
byproduct of risk assessment? Is the fact that data loss trumps fines and
legal action because such a loss means perpetual damage to the business and
its customers, versus a fine, which is often a one-off type of hit?

"Its all risk assessment. How much protection is enough? One breach could
lead to losing the integrity of your business, whether it's losing
customers, intellectual property, customers' trust and/or a financial loss.
Small and mid-size businesses would suffer the most from this loss. They
cannot afford to lose customers and still stay in business," Cole said.

The topic of how much is enough was also referenced in the pressures
related to features vs. resources. A majority of respondents said they feel
pressure to select the latest security technologies, but at the same time,
they also lack the proper resources to use them.

In addition, there's a good deal of pressure to use cloud-based
technologies and mobile applications, but those were also the top two items
listed when it came to security risks from emerging technologies. Staffing
was another pain point, with nearly half the respondents reporting that if
they had twice the staffing levels currently available, they'd be able to
lower the stress levels and improve job effectiveness.

The report also covered internal stress, specifically those who reported
being pressured to rollout IT projects despite security concerns. When
asked, 79 percent of the respondents said that they've had to launch an IT
project despite security concerns at least once or twice, or worse, they're
frequently pressured to do so.

"Its logical business," Cole said, when asked why something would be pushed
with valid security concerns.

"Business leaders have to find new ways to market their products and those
are at the forefront of their business decisions, not security. We often
see companies launch websites that are not secure because they are solely
focusing on selling their products."

Adding to that, Pogue remarked, "Security still too often plays second
fiddle to meeting a deadline. We used to have a saying in the Army: 'you
can have it fast, or you can have it right...you can't have both.' Fast
seems to be the soup-de-jour."

When asked for an opinion on the project rollout stat, Kim Jones, the CSO
for Vantiv, a payment processing firm in Arizona, said that security risk
should not stop or slow projects all the time, and in fact there are times
when the risk calculus (risk vs. return) shows that the benefits outweigh
the risk. However, he also suspects that security would win those battles
more than 21 percent of the time.

"My input to a project is one of many drivers for a project's success or
failure. It is my responsibility to ensure that I (a) am properly injected
into the project process at proper points in the process; (b) properly
identify and where possible quantify the risks; (c) raise the risks to the
appropriate levels within the organization; and (d) where risk isn't
mitigated, ensure that the risks are properly and formally accepted at the
appropriate levels within the organization," Jones said in an email to CSO
Online.

In addition, Jones said it's likely that many security organizations are
not looped into the IT project cycle at appropriate points, or do not have
the type of risk identification and acceptance process that he describes.

In those organizations, the security tends to be in a catch-up mode. Often
they're brought in at the eleventh hour to rubber stamp the project, and if
they find something wrong the remediation timeframe would forcing the
project to blow its deadline. Or worse, Jones added, without the risk
acceptance process, the organization is hard pressed to find someone
willing to sign off on accepting the risk.

"The pressure becomes that of delivering the project rapidly, on time, and
not slowing down the effort to inject the security afterthought. Combine
that with an inadequate risk acceptance process and you begin to see why
many of my brethren either change jobs rapidly or choose to leave the
profession."

So what can be done to help? What would lower the perceived pressures, and
ease the stress for those who took part in Trustwave's study?

Asked to provide a wish list for 2014, the respondents said that bigger
budgets, followed by more IT security skills and more time to focus on
security, would be their top three requests. After that, they listed less
complexity in technology, fewer requests from business line managers, and
additional staffing.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!