Cybersecurity is finally getting the attention it requires, but based on recent studies I’ve seen and conversations I’ve had, organizations have a long way to go to create a security posture that matches reality.
AttackIQ CEO Stephan Chenette wrote a blog recently that discussed the fact that most organizations are unaware of their security posture until they suffer a breach or are alerted by a third party. Yet, he wrote:
In the face of ever-increasing numbers of attacks, the average enterprise deploys 75 distinct security products (1), receives more than 17,000 alerts per day (2), and spends an average of $115 per employee on security (3). As an industry, we are getting into a cycle of buying more security technologies and then hiring more security engineers to manage those technologies. We need to get a handle on our capabilities sooner rather than later.
Here’s an example of where companies are lacking in their security capabilities. A recent study by Ponemon Institute and IBM found that, even as C-level executives are beginning to accept cybersecurity as a necessity, organizations are lagging way behind in application security. According to eWeek:
… 35 percent of organizations do not perform any major application security testing for application vulnerabilities. Moreover, almost half (48 percent) of respondents said their organization does not take any steps to remediate the risks associated with vulnerable applications.
Another concern from that study is that 69 percent of respondents don’t know what applications are active on the network. In a post from IBM, Neil Jones provided a number of helpful tips to improve application security testing, including a call to bump up allocations and staffing to address these security issues. But is it that easy? Because now we move into another serious issue when examining security posture – the lack of security personnel. A new study from Trustwave found that security professionals are facing increasing pressures to secure their organizations at a time when the skills gap is so large that it is the third worst security concern, behind only advanced security threats and the adoption of emerging technologies.
So security posture is weak, organizations aren’t able to keep up with security issues, and we don’t have enough qualified security professionals. It seems hopeless, doesn’t it? It doesn’t have to be. Instead, it is time to look at the big picture of options available to help with the security posture that you may not be utilizing. For instance, Diana Kelley, executive security advisor, IBM Security, told eSecurity Planet that DevOps could be the key, at least for better application security:
Just as operations and testing have increasingly been embedded into the development process and taught developers stronger testing practices, security professionals need to focus on bringing security into the DevOps process as well.
And finally, as Chenette wrote, don’t be afraid to challenge your assumptions about your security controls. By doing so:
You will be able to confidently answer questions that you were not able to before and minimize the impact of a data breach which before was the only measurement of a successful security program. Don’t just do this annually or when the board of directors asks. Do this daily, weekly, hourly. Make repeatable, consistent testing a part of your routine, just as changing passwords or locking the lobby door occurs on a regular and predictable basis.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba