IT security pros prioritise new tech over training

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/it-security-pros-prioritise-new-tech-over-training/article/361319/

In their ‘Roadblocks, Refresh & Raising the Human security IQ' study, the
two companies surveyed nearly 5,000 security professionals across the globe
with at least 10 years' experience each and discovered a whole host of
topical issues, from limited cyber security knowledge among the C-suite to
concerns around current security systems.

“This Ponemon Institute security survey highlights that a lack of
communication, education and inadequate security systems is making it
possible for cyber-criminals to attack organisations across the globe,”
said Websense CEO John McCormack in a statement to the press.

“It's not surprising that many security professionals are disappointed with
the level of protection their current solutions provide, as many still use
legacy solutions that cannot disrupt the kill chain to prevent data theft.”

Of the findings, arguably the most poignant was that nearly one in three
(29 percent) IT professionals would completely overhaul their current
enterprise security system given the resources and opportunity, while only
38 percent believed that their firm was investing enough in skilled
personnel and technologies.

Almost half of all respondents (47 percent) said that they were ‘frequently
disappointed' with the level of protection offered by a security solution
that they had procured and only 12 percent said that they had never been
disappointed in their chosen security solutions.

One in two (56 percent) of respondents believed that a data breach would
trigger a change of security vendors, but on a more encouraging note – 49
percent said that they were planning to make ‘significant' investments and
adjustments to cyber security defences over the next year.

“Advanced persistent threats and data exfiltration attacks rank as the top
fears for IT security professionals,” said Dr Larry Ponemon, chairman and
founder of the Ponemon Institute. “These fears manifest because they
believe their technology is in need of an overhaul and there is a widening
gap in the knowledge and resource sharing among IT security professionals
and executive staff.”

Falling down on boardroom support, security training

The report also highlighted the continuing concerns around security
training awareness and a lack of boardroom support, issues that were raised
in a separate study of some of the UK's top chief information security
officers (CISOs) last week.

On the lack of C-level awareness, 31 percent of cyber security teams said
that they never spoke with their executive team about cyber security, with
a further 23 percent and 19 percent saying that they did so only on an
annual and bi-annual basis respectively. Just over one in ten (11 percent)
spoke to the boardroom about such matters on a quarterly basis, and one
percent spoke to them weekly.

Neil Thacker, information security and strategy officer for Websense EMEA,
toldSCMagazineUK.com that too many CISOs and other senior IT members talk
about threats and targeted attacks, rather than the solutions required by
specific department members.

“You see the Blackberries going up,” said Thacker on when CISOs talk
generally on targeted attacks to the boardroom.

According to the study, security pros feel the top three events that would
compel executive teams to allocate more money to cyber security initiates
would be exfiltration of intellectual property (67 percent), a data breach
involving customer data (53 percent) and loss of revenues because of system
downtime (49 percent).

Security awareness is also an issue as more than half of companies do not
provide cyber security education to employees currently. Just four percent
plan to do so in the next 12 months.

The issue, according to both Thacker and former CISO Amar Singh, is that
too many of these programmes are run on an annual basis as a ‘tick box
exercise' and that most people will forget information very quickly.

Citing an old study, Thacker said: “…People forget 50 percent of
information in five minutes – that's the issue with running awareness
campaigns but that's humans for you.”

“We've got to get better at running real-time education. It's really
powerful. Make it specific to the employee and drip it to them – you don't
want to make it like a project,” he added.

“It's a tick box exercise and it's exactly what I am seeing every day,”
added Singh, who is chair of ISACA UK's security task force. “I think not
enough companies are investing in their existing people – they're always
looking to the outside instead of upskilling.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!