Study shows those responsible for security face mounting pressures

According to a recent study, security-related pressures in IT have climbed steadily year-over-year, as security professionals face the constant strain that comes with defending their organization's network and data from assortment of threats from all sides.

According to a recent study, security-related pressures in IT have climbed steadily year-over-year, as security professionals face the constant strain that comes with defending their organization's network and data from assortment of threats from all sides.

The data comes from Trustwave's 2014 Security Pressures report, which was provided to CSO Online exclusively ahead of its publication next week. In an attempt to understand the variety of pressures that those working in InfoSec face, Trustwave spoke to 833 security decision makers about the topic, including CIOs, CISOs, and IT Directors / Managers in the U.S., the U.K., Canada, and Germany.

Depending on where the respondent lived, the level of pressure experienced varied. In the U.S., 65 percent of the respondents said they expect to feel more strain this year, compared to the 43 percent in Germany who expected to feel an increase in stress.

Yet, when the data from 2013 is included, professionals in both locations reported a year-over-year increase perceived pressures, and Germany had the largest gain -- jumping from 33 percent in 2013 to 43 percent in 2014. In comparison, the U.S. had a three percent increase, the U.K. showed a four percent increase, and Canada reported a seven percent bump.

CSO Online spoke to Trustwave's Leo Cole, the General Manager of Security Solutions, and Chris Pogue, Director of Incident Response and Forensics about the study. One of the first questions asked of them addressed the source of the respondent's stress.

Last year, the media was flooded with reports of data breaches, new attack vectors, and threats of various types. Recently, 2014 was off with the news of a security incident at Target that impacted come 70 million customers. So is the increase in pressure reported by the study's respondents based on the uptick in security-related news coverage, or is it something else?

"When we speak to CIOs, CISOs, IT Managers/Directors, we almost always hear that their Board of Directors has asked them what they are doing to protect the companys valuable information. When the Board asks questions, there is more pressure. However, security has been a board-level issue for some time," Cole explained.

Today, the difference is in the type of questions being asked by the board. It used to be a matter of answering the question, 'what are we doing to prevent data loss?" Now, the question is focused on the fact that data breaches and other security incidents keep happening despite the purchase of products and solutions that are supposed to prevent them. So the question of "what are we doing?" has become "why does this keep happening?" and "what are we doing to make sure we don't get breached next?"

"The Board is taking the questions to a whole new level and creating a more sophisticated conversation surrounding security. As a result, the in-house CIO feels more pressure because not only does he have to say, 'I bought this security technology,' but also 'I bought this security technology and it will work,'" Cole added.

Asked the same question, Pogue felt the pressures were a mix of things, from news coverage, to the expanding scale of breaches, and a seemingly endless wave of attacks on all levels, from all sides.

"Security is like car insurance. People buy it hoping they will never have to use it," he said.

"What do they get in return for their money? Help with protecting their valuable data from getting into the wrong hands. In light of the recent media coverage of data breaches, the 'what if' scenario is getting more attention. Now, it's no longer 'what if I get hacked,' it's 'what if I'm next?' It's now more real. The threat hasn't changed. The attackers haven't changed. What has changed is the public perception and the subsequent fear brought on by possibly being the next big breach."

When it comes to the types of threats and risks that generate the most pressure, the respondents in the U.S. (68 percent) and Canada (63 percent) said targeted malware, while the U.K. (64 percent) and Germany (60 percent) singled out Phishing and Social Engineering. That isn't to say that targeted malware isn't a concern for them, as it ranked close second in the U.K. and was listed as third in Germany.

Either way, the answers are interesting. In this case, targeted malware includes attacks that profile the victim and use multiple methods in order to get access to data that's to be compromised. However, only 49 percent of the respondents in the U.S. listed viruses and worms as a threat that generates the most pressure, along with 36 percent in Canada.

In fact, Germany and the U.K., didn't view them as problematic either. Moreover, none of the respondents ranked zero-day vulnerabilities as a top concern, despite the fact that targeted malware will often leverage all three of these attack surfaces during a given incident, as criminals will do whatever they can in order to assure success.

When it comes to an incident's aftermath, customer data theft tops the list of worries, with 58 percent of the respondents picking this concern over IP theft, reputation damage, or fines and legal action. However, despite current events, and the growing attention given to security incidents over the last few years, five percent of the respondents felt that their organization was completely safe from security incidents, and thus had no concerns.

"Oftentimes, we speak to business leaders who simply dont think they are a target. They dont realize the wealth of information they have and how valuable that information is to a criminal," Cole explained, when asked for an opinion on the five percent, and how such a belief could exist these days.

"Or, quite simply, they think they have nothing worth taking (which most likely isn't true). However, even if that is the case, where the attackers target a business that may not have data they can profit from, they can still use that business as a pivot point into other organizations," Pogue added.

Still, 58 percent of the respondents overall cited customer data loss as the top pressure point during an incident's aftermath, but is this just a byproduct of risk assessment? Is the fact that data loss trumps fines and legal action because such a loss means perpetual damage to the business and its customers, versus a fine, which is often a one-off type of hit?

"Its all risk assessment. How much protection is enough? One breach could lead to losing the integrity of your business, whether it's losing customers, intellectual property, customers' trust and/or a financial loss. Small and mid-size businesses would suffer the most from this loss. They cannot afford to lose customers and still stay in business," Cole said.

The topic of how much is enough was also referenced in the pressures related to features vs. resources. A majority of respondents said they feel pressure to select the latest security technologies, but at the same time, they also lack the proper resources to use them.

In addition, there's a good deal of pressure to use cloud-based technologies and mobile applications, but those were also the top two items listed when it came to security risks from emerging technologies. Staffing was another pain point, with nearly half the respondents reporting that if they had twice the staffing levels currently available, they'd be able to lower the stress levels and improve job effectiveness.

The report also covered internal stress, specifically those who reported being pressured to rollout IT projects despite security concerns. When asked, 79 percent of the respondents said that they've had to launch an IT project despite security concerns at least once or twice, or worse, they're frequently pressured to do so.

"Its logical business," Cole said, when asked why something would be pushed with valid security concerns.

"Business leaders have to find new ways to market their products and those are at the forefront of their business decisions, not security. We often see companies launch websites that are not secure because they are solely focusing on selling their products."

Adding to that, Pogue remarked, "Security still too often plays second fiddle to meeting a deadline. We used to have a saying in the Army: 'you can have it fast, or you can have it can't have both.' Fast seems to be the soup-de-jour."

When asked for an opinion on the project rollout stat, Kim Jones, the CSO for Vantiv, a payment processing firm in Arizona, said that security risk should not stop or slow projects all the time, and in fact there are times when the risk calculus (risk vs. return) shows that the benefits outweigh the risk. However, he also suspects that security would win those battles more than 21 percent of the time.

"My input to a project is one of many drivers for a project's success or failure. It is my responsibility to ensure that I (a) am properly injected into the project process at proper points in the process; (b) properly identify and where possible quantify the risks; (c) raise the risks to the appropriate levels within the organization; and (d) where risk isn't mitigated, ensure that the risks are properly and formally accepted at the appropriate levels within the organization," Jones said in an email to CSO Online.

In addition, Jones said it's likely that many security organizations are not looped into the IT project cycle at appropriate points, or do not have the type of risk identification and acceptance process that he describes.

In those organizations, the security tends to be in a catch-up mode. Often they're brought in at the eleventh hour to rubber stamp the project, and if they find something wrong the remediation timeframe would forcing the project to blow its deadline. Or worse, Jones added, without the risk acceptance process, the organization is hard pressed to find someone willing to sign off on accepting the risk.

"The pressure becomes that of delivering the project rapidly, on time, and not slowing down the effort to inject the security afterthought. Combine that with an inadequate risk acceptance process and you begin to see why many of my brethren either change jobs rapidly or choose to leave the profession."

So what can be done to help? What would lower the perceived pressures, and ease the stress for those who took part in Trustwave's study?

Asked to provide a wish list for 2014, the respondents said that bigger budgets, followed by more IT security skills and more time to focus on security, would be their top three requests. After that, they listed less complexity in technology, fewer requests from business line managers, and additional staffing.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSOTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place