Trustwave report shows year-over-year increase of pressures on InfoSec leaders.
According to a recent study, security-related pressures in IT have climbed steadily year-over-year, as security professionals face the constant strain that comes with defending their organization’s network and data from assortment of threats from all sides.
The data comes from Trustwave’s 2014 Security Pressures report, which was provided to CSO Online exclusively ahead of its publication next week. In an attempt to understand the variety of pressures that those working in InfoSec face, Trustwave spoke to 833 security decision makers about the topic, including CIOs, CISOs, and IT Directors / Managers in the U.S., the U.K., Canada, and Germany.
Depending on where the respondent lived, the level of pressure experienced varied. In the U.S., 65 percent of the respondents said they expect to feel more strain this year, compared to the 43 percent in Germany who expected to feel an increase in stress.
Yet, when the data from 2013 is included, professionals in both locations reported a year-over-year increase perceived pressures, and Germany had the largest gain — jumping from 33 percent in 2013 to 43 percent in 2014. In comparison, the U.S. had a three percent increase, the U.K. showed a four percent increase, and Canada reported a seven percent bump.
CSO Online spoke to Trustwave’s Leo Cole, the General Manager of Security Solutions, and Chris Pogue, Director of Incident Response and Forensics about the study. One of the first questions asked of them addressed the source of the respondent’s stress.
Last year, the media was flooded with reports of data breaches, new attack vectors, and threats of various types. Recently, 2014 was off with the news of a security incident at Target that impacted come 70 million customers. So is the increase in pressure reported by the study’s respondents based on the uptick in security-related news coverage, or is it something else?
“When we speak to CIOs, CISOs, IT Managers/Directors, we almost always hear that their Board of Directors has asked them what they are doing to protect the companys valuable information. When the Board asks questions, there is more pressure. However, security has been a board-level issue for some time,” Cole explained.
Today, the difference is in the type of questions being asked by the board. It used to be a matter of answering the question, ‘what are we doing to prevent data loss?” Now, the question is focused on the fact that data breaches and other security incidents keep happening despite the purchase of products and solutions that are supposed to prevent them. So the question of “what are we doing?” has become “why does this keep happening?” and “what are we doing to make sure we don’t get breached next?”
“The Board is taking the questions to a whole new level and creating a more sophisticated conversation surrounding security. As a result, the in-house CIO feels more pressure because not only does he have to say, ‘I bought this security technology,’ but also ‘I bought this security technology and it will work,'” Cole added.
Asked the same question, Pogue felt the pressures were a mix of things, from news coverage, to the expanding scale of breaches, and a seemingly endless wave of attacks on all levels, from all sides.
“Security is like car insurance. People buy it hoping they will never have to use it,” he said.
“What do they get in return for their money? Help with protecting their valuable data from getting into the wrong hands. In light of the recent media coverage of data breaches, the ‘what if’ scenario is getting more attention. Now, it’s no longer ‘what if I get hacked,’ it’s ‘what if I’m next?’ It’s now more real. The threat hasn’t changed. The attackers haven’t changed. What has changed is the public perception and the subsequent fear brought on by possibly being the next big breach.”
When it comes to the types of threats and risks that generate the most pressure, the respondents in the U.S. (68 percent) and Canada (63 percent) said targeted malware, while the U.K. (64 percent) and Germany (60 percent) singled out Phishing and Social Engineering. That isn’t to say that targeted malware isn’t a concern for them, as it ranked close second in the U.K. and was listed as third in Germany.
Either way, the answers are interesting. In this case, targeted malware includes attacks that profile the victim and use multiple methods in order to get access to data that’s to be compromised. However, only 49 percent of the respondents in the U.S. listed viruses and worms as a threat that generates the most pressure, along with 36 percent in Canada.
In fact, Germany and the U.K., didn’t view them as problematic either. Moreover, none of the respondents ranked zero-day vulnerabilities as a top concern, despite the fact that targeted malware will often leverage all three of these attack surfaces during a given incident, as criminals will do whatever they can in order to assure success.
When it comes to an incident’s aftermath, customer data theft tops the list of worries, with 58 percent of the respondents picking this concern over IP theft, reputation damage, or fines and legal action. However, despite current events, and the growing attention given to security incidents over the last few years, five percent of the respondents felt that their organization was completely safe from security incidents, and thus had no concerns.
“Oftentimes, we speak to business leaders who simply dont think they are a target. They dont realize the wealth of information they have and how valuable that information is to a criminal,” Cole explained, when asked for an opinion on the five percent, and how such a belief could exist these days.
“Or, quite simply, they think they have nothing worth taking (which most likely isn’t true). However, even if that is the case, where the attackers target a business that may not have data they can profit from, they can still use that business as a pivot point into other organizations,” Pogue added.
Still, 58 percent of the respondents overall cited customer data loss as the top pressure point during an incident’s aftermath, but is this just a byproduct of risk assessment? Is the fact that data loss trumps fines and legal action because such a loss means perpetual damage to the business and its customers, versus a fine, which is often a one-off type of hit?
“Its all risk assessment. How much protection is enough? One breach could lead to losing the integrity of your business, whether it’s losing customers, intellectual property, customers’ trust and/or a financial loss. Small and mid-size businesses would suffer the most from this loss. They cannot afford to lose customers and still stay in business,” Cole said.
The topic of how much is enough was also referenced in the pressures related to features vs. resources. A majority of respondents said they feel pressure to select the latest security technologies, but at the same time, they also lack the proper resources to use them.
In addition, there’s a good deal of pressure to use cloud-based technologies and mobile applications, but those were also the top two items listed when it came to security risks from emerging technologies. Staffing was another pain point, with nearly half the respondents reporting that if they had twice the staffing levels currently available, they’d be able to lower the stress levels and improve job effectiveness.
The report also covered internal stress, specifically those who reported being pressured to rollout IT projects despite security concerns. When asked, 79 percent of the respondents said that they’ve had to launch an IT project despite security concerns at least once or twice, or worse, they’re frequently pressured to do so.
“Its logical business,” Cole said, when asked why something would be pushed with valid security concerns.
“Business leaders have to find new ways to market their products and those are at the forefront of their business decisions, not security. We often see companies launch websites that are not secure because they are solely focusing on selling their products.”
Adding to that, Pogue remarked, “Security still too often plays second fiddle to meeting a deadline. We used to have a saying in the Army: ‘you can have it fast, or you can have it right…you can’t have both.’ Fast seems to be the soup-de-jour.”
When asked for an opinion on the project rollout stat, Kim Jones, the CSO for Vantiv, a payment processing firm in Arizona, said that security risk should not stop or slow projects all the time, and in fact there are times when the risk calculus (risk vs. return) shows that the benefits outweigh the risk. However, he also suspects that security would win those battles more than 21 percent of the time.
“My input to a project is one of many drivers for a project’s success or failure. It is my responsibility to ensure that I (a) am properly injected into the project process at proper points in the process; (b) properly identify and where possible quantify the risks; (c) raise the risks to the appropriate levels within the organization; and (d) where risk isn’t mitigated, ensure that the risks are properly and formally accepted at the appropriate levels within the organization,” Jones said in an email to CSO Online.
In addition, Jones said it’s likely that many security organizations are not looped into the IT project cycle at appropriate points, or do not have the type of risk identification and acceptance process that he describes.
In those organizations, the security tends to be in a catch-up mode. Often they’re brought in at the eleventh hour to rubber stamp the project, and if they find something wrong the remediation timeframe would forcing the project to blow its deadline. Or worse, Jones added, without the risk acceptance process, the organization is hard pressed to find someone willing to sign off on accepting the risk.
“The pressure becomes that of delivering the project rapidly, on time, and not slowing down the effort to inject the security afterthought. Combine that with an inadequate risk acceptance process and you begin to see why many of my brethren either change jobs rapidly or choose to leave the profession.”
So what can be done to help? What would lower the perceived pressures, and ease the stress for those who took part in Trustwave’s study?
Asked to provide a wish list for 2014, the respondents said that bigger budgets, followed by more IT security skills and more time to focus on security, would be their top three requests. After that, they listed less complexity in technology, fewer requests from business line managers, and additional staffing.