IT innovation challenging security pros' knowledge, resources

Upper management pushing for rollout of new technology without fully understanding security risks

Pressure from upper management and boards is pushing security pros beyond their knowledge and resources, forcing them to roll out technology that is not properly secured, experts say.

[Study shows those responsible for security face mounting pressures]

Nearly four in five IT pros were pressured last year into deploying inadequately secured software, according to a report from Trustwave set for release next week. The report, provided exclusively to CSO Online prior to release, shows that more than 60 percent of the respondents said that such rollouts occurred once or twice a year, while 16 percent said they happened frequently.

Half of the more than 830 CIOs, CISOs and IT security directors and managers surveyed between mid-December 2013 and mid-January said the most pressure came from company owners, boards, and C-level executives. Almost a third of the respondents, who worked for companies with 250 to 5,000 employees in the U.S., U.K., Canada and Germany, said the most pressure came from direct managers.

The findings were not a surprise to Drew Porter, senior security analyst for consulting firm Bishop Fox. Porter often works with companies to plug vulnerabilities in IT that was deployed too fast in order to get competitive features to customers and partners.

"They want to have these features and they want it right now," Porter said. "They worry about the security afterward."

An example Porter runs into often is a wireless connection to a corporate portal made available to people and employees visiting a company's campus. HTTPS is often not properly used for secure communications and it is not unusual for companies to skip the requirement of a username and password.

Such poor protection does not sit well with security executives and managers who will sometimes call in consultants to do a security review, so vulnerabilities can be documented and brought to the attention of C-level execs and boards.

"The consultant writes the report, giving the security team ammo to take to upper-management and say, 'These are problems that we have to fix; these are high-critical items.'" Porter said.

The emerging technologies that carried the greatest security risks were cloud services, mobile applications and technology to accommodate employees' desire to use their own mobile devices for work, a trend often referred to as "bring your own device (BYOD)," the study found. Deploying social media was also considered a top risk.

[CSO's guide to Advanced Persistent Threats]

The market pressure to use new technologies is causing security execs to go beyond their level of expertise, Renee Murphy, analyst for Forrester Research, said.

"CISOs are dealing with the pressures of the business telling them to innovate when clearly the (security) technology hasn't caught up or at least their understanding of the technology hasn't caught up," Murphy said.

Securing the wide variety of mobile devices executives and employees want to use on the corporate network is a good example of what's causing migraines for security pros, Murphy said. Up until the last few years, security executives only had to worry about PCs connecting to networks.

"They're now having to do crazy amounts of stuff in order to support everything that shows up in their environments everyday," Murphy said. "I feel their pain."

For the current situation to improve, businesspeople and security pros will need to come together and work on a "holistic approach" to securing new technologies, Murphy said.

"Security and risk don't have to inhibit innovation," she said. "Innovation might have to go a little bit slower in order to accommodate it, but there's no reason they can't coexist."

[Senior managers fumble security much more often than rank and file]

Overall, a majority of respondents said the pressure to secure their organizations increased last year from 2012 and they expect to experience a similar rise this year, the report found.

The greatest concern was falling victim to a targeted malware attack, followed by the threat of phishing and hackers exploiting unknown vulnerabilities. Phishing is when hackers design email to trick recipients into clicking on a malware-carrying attachment or a link to a malicious website.

The greatest worry from an attack was the loss of customer data, with intellectual property theft coming in second, according to the report. Reputation damage, fines or legal action were less of a concern.

To reduce security pressure, more than eight in 10 respondents listed hiring more staff. However, the survey indicated that upper-management appeared to favor hiring managed security service providers. The majority of respondents already partnered with MSSPs or was likely to do so in the future.

Other items on the wish list of security execs included more skills and expertise and more time to focus on security.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSOForrester ResearchTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place