InfoSec pros spend most time, money on self-inflicted problems

According to a new survey of Black Hat attendees released last week, InfoSec professionals are spending the biggest amount of their time and budgets on security problems created within the organization itself.

Security vulnerabilities introduced by their own application development teams consumed the most amount of time for 35 percent of respondents. Purchased software and systems were in second place with 33 percent of respondents.

Dealing with sophisticated targeted attacks was sixth on the list, with 20 percent of respondents choosing it as one of the three areas where they spent the most time.

Meanwhile, 57 percent said that their biggest concerns were sophisticated attacks directed at their organization.

And when it came to spending, only 26 percent said that sophisticated targeted attacks were one of the three areas that took up the biggest part of their security budgets, tying for first place with accidental data leaks caused by end users not following company security policies.

When asked about the weakest links at their companies, the largest number -- 33 percent -- selected end users who violate security policy and are too easily fooled by social engineering attacks.

This disparity between what security pros felt was the biggest threat, and where they were spending their time and money, was just one of the big gaps identified by the survey.

Another one had to do with the Internet of Things.

The biggest number of respondents, 36 percent, said that they believed that IoT-based attacks will be their biggest concern in two years. However, only 3 percent said that the IoT was one of the top three budget priorities this year.

Lack of resources

Nearly three quarters of respondents, 73 percent, said that they were likely to have a significant compromise in the coming year.

And a large majority also said that they didn't have enough resources to deal with the threats they were facing.

Only 27 percent said they had enough staff, and 22 percent described their security departments as being "completely underwater" or "what staff?"

And just 34 percent said they had adequate funds -- 21 percent said they were "severely hampered" by budget constraints."

The majority of respondents, 55 percent, also said that they could use more training. Only 36 percent said they have the skills they needed to do their jobs, and 9 percent said that they feel "ill-prepared to handle attacks or exploits they may encounter in the near future."

The survey included responses from 460 security professionals, both management and staff, predominantly at large companies. This was the first year for this survey, which was conducted last month.

The disconnect between time spent, budgets allocated, and areas of greatest risk could be a factor of how fast the security environment is changing, said Steve Conrad, CEO at Bothell, Wash.-based MediaPro Holdings, LLC, a security awareness training company.

"The risk factors, the weakest links, are human," he said, adding that the survey shows that enterprises need to dedicate more resources to helping their developers write more secure code, and helping all their employees be more security conscious.

And even an annual training program might not be sufficient, given the fast-changing nature of the threats.

"If you were to update your antivirus just once a year, that's not a good security posture," he said. "But that's what we do with the human element. We don't give them the tools they need to do their jobs."

He added there's a widespread perception that you can't train people to be more security conscious.

"I think that perception is wrong," he said. "With good training, good communications, you can actually have measurable change in the organization."

Join the CSO newsletter!

Error: Please check your email address.

Tags infosecsecurityadvanced persistent threatsdata protection

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place