According to a new survey of Black Hat attendees released last week, InfoSec professionals are spending the biggest amount of their time and budgets on security problems created within the organization itself.
Security vulnerabilities introduced by their own application development teams consumed the most amount of time for 35 percent of respondents. Purchased software and systems were in second place with 33 percent of respondents.
Dealing with sophisticated targeted attacks was sixth on the list, with 20 percent of respondents choosing it as one of the three areas where they spent the most time.
Meanwhile, 57 percent said that their biggest concerns were sophisticated attacks directed at their organization.
And when it came to spending, only 26 percent said that sophisticated targeted attacks were one of the three areas that took up the biggest part of their security budgets, tying for first place with accidental data leaks caused by end users not following company security policies.
When asked about the weakest links at their companies, the largest number -- 33 percent -- selected end users who violate security policy and are too easily fooled by social engineering attacks.
This disparity between what security pros felt was the biggest threat, and where they were spending their time and money, was just one of the big gaps identified by the survey.
Another one had to do with the Internet of Things.
The biggest number of respondents, 36 percent, said that they believed that IoT-based attacks will be their biggest concern in two years. However, only 3 percent said that the IoT was one of the top three budget priorities this year.
Lack of resources
Nearly three quarters of respondents, 73 percent, said that they were likely to have a significant compromise in the coming year.
And a large majority also said that they didn't have enough resources to deal with the threats they were facing.
Only 27 percent said they had enough staff, and 22 percent described their security departments as being "completely underwater" or "what staff?"
And just 34 percent said they had adequate funds -- 21 percent said they were "severely hampered" by budget constraints."
The majority of respondents, 55 percent, also said that they could use more training. Only 36 percent said they have the skills they needed to do their jobs, and 9 percent said that they feel "ill-prepared to handle attacks or exploits they may encounter in the near future."
The survey included responses from 460 security professionals, both management and staff, predominantly at large companies. This was the first year for this survey, which was conducted last month.
The disconnect between time spent, budgets allocated, and areas of greatest risk could be a factor of how fast the security environment is changing, said Steve Conrad, CEO at Bothell, Wash.-based MediaPro Holdings, LLC, a security awareness training company.
"The risk factors, the weakest links, are human," he said, adding that the survey shows that enterprises need to dedicate more resources to helping their developers write more secure code, and helping all their employees be more security conscious.
And even an annual training program might not be sufficient, given the fast-changing nature of the threats.
"If you were to update your antivirus just once a year, that's not a good security posture," he said. "But that's what we do with the human element. We don't give them the tools they need to do their jobs."
He added there's a widespread perception that you can't train people to be more security conscious.
"I think that perception is wrong," he said. "With good training, good communications, you can actually have measurable change in the organization."