What do the experts think of the current state of information security? That’s what the folks from Core Security wanted to know, so they questioned 117 people at the Black Hat security conference earlier this month. This is what they discovered.
The vast majority (80 percent) think security spending needs to increase. I guess that isn’t a surprise coming from the people who make their living providing security tools and services to businesses. But the good news is that companies are willing to invest. According to Gartner, security-related spending is on the rise. But until the budget actually improves, security professionals in the enterprise need to make the most of what they have by maximizing current resources.
Going hand-in-hand with the security budget is the size of the security team. Once again, the vast majority of these pros think that businesses are understaffed. For this reason, they aren’t able to handle all of the alerts that they are getting each day. Thanks to the rise of Big Data, businesses are getting hit with false positive alerts more than ever. For example, eSecurity Planet reported that it’s becoming overwhelming for many teams:
According to the results of an ESG survey of 257 enterprise security professionals, 35 percent of respondents said they're challenged by too many false positive alerts and 39 percent are challenged by lack of adequate staffing. Almost one third of organizations said they're challenged by the fact that incident detection involves too many manual processes.
No wonder the security professionals believe that more security personnel need to be hired.
The biggest security problem facing companies of all sizes? Nearly half of the respondents said it was user ignorance. Those accessing the company network simply do not understand why there is a need for good security practices and/or they don’t know how to apply those practices. It’s all about improving education and providing training on how to practice safe computing, but again, it all comes back to the under-budgeted and under-staffed IT teams, doesn’t it?
The security concern that came in second surprised me a bit. Twenty-four percent said their biggest concern is siloed security, or security solutions that aren’t working together. Again, this may come down to old solutions that are mixed with new solutions and no budget to revamp the whole thing, but I can definitely see why this would hinder overall security efforts.
Finally, the Core Security folks asked how easy it is for an outside hacker to attack into the average network. More than 40 percent said it would be “like taking candy from a baby.” (Hmm, they must not know the little kids I know. It takes the jaws of life to take a piece of licorice from their little hands. On the other hand, if that is how difficult it is for hackers to break in, that’s a good thing, but I’m pretty sure the respondents meant it would be pretty darned easy.) As the Core Security folks put it:
These responses could either be telling us that the Black Hat crowd is extremely confident in attackers’ capabilities (and rooting for the home team), or that that the average enterprise is unprepared to fight off today’s cyber criminals. It’s most likely that there is some truth to both of those conclusions.
Bottom line, the security experts at Black Hat think there is a lot of work to be done to improve information security. Now, is enterprise up to the challenge of making their networks more secure?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba