Security professionals are being hammered by a powerful combination of forces: As IT systems get more difficult to defend--more open, mobile and shared--cyber-threats are also evolving to more swiftly penetrate enterprise defenses.
That is one of the core findings of the 11th annual Global Information Security Survey, conducted by PricewaterhouseCoopers and CSO. The survey also found that despite many of the more than 9,600 execs surveyed saying that their organizations have increased IT security spending, the number of attacks they're enduring and the costs of those attacks keeps rising. And not only are attacks increasing, but so are the costs per incident, with the average losses per incident up 23 percent year over year. The number of those reporting losses of greater than 10 million per incident is up 75 percent from just two years ago.
An Abundance of (Over)confidence
Despite those setbacks, this year's survey reveals an unexpectedly high level of confidence in the robustness of respondents' security efforts. A whopping 84 percent of CEOs and 82 percent of CIOs believe their programs are effective in their current state. Even CISOs, a traditionally cautious bunch, are only slightly less sure, with 78 percent expressing confidence.
This optimism is maintained despite the fact that the number of security incidents detected has risen considerably year over year: from 2,989 reported in 2012 to 3,741 in 2013. A full 18 percent of respondents report not knowing the number of incidents they detected.
This isn't to say that enterprises aren't taking many of the right steps to protect their data--they are. The survey shows that even those enterprises that haven't been taking adequate precautions plan to do a better job in the future. Many report they'll soon be setting minimum security standards for external partners, customers and suppliers, as well as instituting employee security awareness training programs.
Not surprisingly, many security practitioners disagree with this year's survey respondents about the overall state of IT security. "The bad guys basically go where they want to go and do what they want to do, and they're not being stopped. Maybe for every one organization that's effectively stopping attacks, there are 100 that are being breached," estimates Eric Cowperthwaite, CISO of Providence Health and Services.
When those breaches do occur, the impact remains high: 35 percent of respondents report that employee records were compromised, 31 percent report customer records were compromised or unavailable, and 29 percent say internal records were lost or damaged. Also significant: reports of lost or damaged internal records this year jumped 100 percent from last year.
Those losses are occurring despite increased resources being directed at the security challenge--security budgets averaged $4.3 million this year, a gain of 51 percent over 2012.
Yet despite the spending, enterprises are still playing catchup. As IT organizations master the security and management of one set of technologies, something disruptive and new always comes up, whether it's virtualization, cloud, the consumerization of IT purchasing or increased worker mobility. And it's this change that, if not properly managed, can create so many hazards for CIOs and their security teams.
A Proper Alignment
One of the best ways to ensure that enterprise technology doesn't rush past IT's ability to secure it is to keep business management and IT security management aligned.
One of the big reasons that business management and IT security remain misaligned, says Mike Rothman, president of independent research firm Securosis, is the lack of proper metrics available to measure the business impact of security activities. "That remains a huge gap. Business managers understand business metrics, and IT security--for better or for worse--doesn't lend itself to those business impact metrics. And there is the disconnect," Rothman says.
"In the last 10 years, we fought just to get the CISO recognized and have a seat at the table," says Tim McCreight, CISO for the government of Alberta. And although CISOs are more widely recognized now, they don't all have the same levels of influence. The position means different things in different organizations, and all those organizations are at different levels of security maturity. In some places, the CISO is buried deep in the management structure, while in others it's equivalent to a vice president and reports directly to the C-suite.
In too many organizations, decisions regarding new IT projects, application design and deployments, and procured services are made without getting any input from IT security groups. And when security is actually brought in, it's often toward the very end of the initiative, when it's too late to offer constructive advice or establish cost-effective security controls.
To improve his organization's ability to make smarter risk-based decisions, McCreight shifted Alberta's CISO role to that of a risk adviser to the business, not a service provider. For instance, a business manager recently asked McCreight to endorse the architecture for a new initiative.
"I said no, it's your architecture," he says.
Now, individual business unit owners accept the risk posture of their systems. How did McCreight get the organization to that point? It required that everyone speak the same language when discussing risk.
Something as seemingly simple as determining what low, medium and high levels of risk means can in reality be incredibly complicated, because "acceptable risk" means different things to different people depending on their experience and personality. To get everyone aligned, McCreight assembled a team of subject-matter experts from various business units and management teams, including representatives from business continuity teams, IT teams and the ranks of project leaders. "We got everybody into a room, and they didn't come out until they determined their shared definition of high, medium and low risk--and they understood what the likelihood and impact [of a security event] meant to them," he says.
Those meetings took a year. "Now, when we talk about a high risk--whether it's a physical security risk or an IT risk or a hiring a person--we all know what 'high' means," McCreight says.
To the Cloud
Cloud computing is changing how many organizations view risk. This year, 47 percent of respondents report using cloud computing, and of those using cloud, 59 percent believe their security posture has improved, yet only 18 percent include rules about cloud in their security policies. Software as a service remains the most widely adopted cloud service, staying steady at 69 percent adoption, and platform as a service shows the strongest year-over-year growth, increasing from 29 percent to 37 percent.
Martin Sandren, enterprise architect for security at Blue Cross Blue Shield, explains how he believes the insurer has dramatically reduced risk by moving to the cloud. "We have made a huge shift to cloud--about 80 percent of all the systems we build today are cloud-based. Almost nothing goes into our internal systems anymore," Sandren says.
This move, Sandren explains, has helped mitigate a considerable amount of the risk that results from the security practices of its smaller partners. "As a payer organization, we have a lot of small suppliers who run with a very small IT operations, but they're really good at a specific business task. This is a potentially risky situation, especially when sharing regulated data," Sandren says.
"For these businesses--and that's a lot of that [type of] business--the cloud has made it much easier for them and us to manage risk," Sandren adds. Before, these 10-person companies usually ran off a couple of servers sitting under someone's desk. "Now, these same small businesses have their servers hosted on a cloud provider that we vetted. Suddenly they have the same kind of physical security we find in an enterprise data warehouse. That's helped us a lot in quantifying risk," he says.
Steve Phillips, CIO at Avnet, the $25.5 billion electronics distributor, also puts cloud vendors through a vigorous vetting of their security capabilities and maturity. "You can't outsource risk or reputation damage should something happen," says Phillips. "That's why we put our providers through a serious evaluation--not a simple check-the-box exercise--to make sure they have the capabilities to provide the level of security we expect," Phillips says.
To ensure that IT and cloud service providers live up to their claims, Phillips also makes sure that their contracts include certain clauses, such as one requiring the provider to relay information on any breaches and another giving Avnet an escape hatch if the breach be serious enough to warrant a termination of the relationship.
A Step Behind
Why are the costs of data breaches rising despite the substantial increase in security investments among the enterprises surveyed? Certainly some of it can be attributed to the rising costs of responding to breach disclosures, increased threats, and a higher priority placed on cybersecurity. However, a big part of the rising cost is that too much emphasis is placed on preventing and spotting attacks, when organizations should also be developing the ability to respond when the inevitable occurs.
Many respondents still can't adequately identify or respond to breaches. In fact, only 61 percent inspect their inbound and outbound network traffic, and less than that had used malware analytics to fight advanced threats, or used security event and information management systems to detect potential incidents.
"We are all taught in security 101 to put the basic defensive controls in place first. Most don't get to that point, let alone beyond it. However, there are companies out there, more mature companies, that have built in the ability to respond," says Rothman. "The problem is that they are not the general population. Typically, if they see a breach--if they even see it in the first place--most will call their service provider," he says. And even among companies that do invest in the technology needed to detect and respond to attacks, many don't have the expertise on-staff to take full advantage of the tools' capabilities.
If you can't see the threats, it's almost impossible to respond to them intelligently, and this reality is reflected in the survey results. Only 18 percent of organizations reported being extremely effective at reporting, managing and intercepting cyberthreats. The majority reported that they were minimally effective or did not know how effective they were.
The industry is "too heavy-handed when it comes to investing in preventative controls," says Jay Leek, CISO at private equity firm The Blackstone Group. "We have not invested enough in detective and reactive--what I call 'response'--controls. I believe that we need to focus more on how well we can identify and respond to attacks," he says.
"If you look at security programs in large organizations, they probably spend 70 to 80 percent of their budget on preventative measures. These budgets, I found, also largely correlate to where resources are typically focused, leaving only 20 to 30 percent focused on detective and reactive controls," Leek says.
"It's clearly not working," he adds. "And I would think that incident response would be an ideal place to focus today because the nature of IT systems and their complexity means the chance of one experiencing a security breach has got to be high. You have to assume you would need the ability to respond one day."