IT Departments Aren’t Prepared for Security Risks

If your organization was confronted with a security threat, do you feel confident that your IT professionals (assuming they handle your security needs) would be able to mitigate the threat?

If you answered yes, you are in the minority. A new study from Netwrix Corporation found that only 26 percent of IT departments are ready and able to handle security risks.

In this security climate, that number is astoundingly low. Security experts everywhere warn that we are in a when, not if, situation when it comes to becoming the victim of an attack. Yet, digging deeper into the study, the reasons why that number is so low become clear. Too many organizations expect their IT people to be security experts, and that’s simply not the case. According to the survey, 65 percent of organizations don’t have a dedicated security person and 31 percent don’t know what happens to data when it is stored in third-party data centers.

We shouldn’t be surprised by these numbers. IT professionals aren’t trained to handle security; they are trained to handle computer hardware and software problems. A few years ago, I was invited to an event for CISOs and CSOs from some of the biggest organizations in the country. Even that recently, they told me, CISO was an uncommon C-suite position, and without fail, every person I talked to told me that he started his career in IT and at some point, when it was clear security needed to be addressed, he was given the job because “I was the computer guy.”

As we’ve learned, although they seem like a logical fit, IT and security don’t necessarily go hand-in-hand. They are different skill sets, and when we ask IT to perform security jobs without having the right skills, we are going to have an organization that falls into that 74 percent unprepared for security threats.

At the same time, organizations are struggling to find employees with the right skills. There has been a lot of talk about the security professional shortage, but there are other problems, too, like budget shortfalls. The Netwrix study found the biggest obstacle to being prepared for a security incident is budget, with 57 percent of respondents citing this as a problem (with 54 percent saying lack of time, which kind of goes together with not having the right type of personnel in place). These numbers correspond with results from a Trustwave study that found those in charge of security don’t have control of the budget. That report also highlighted the struggles organizations have in bringing people qualified to handle security, as Chris Schueler, Trustwave senior vice president of Managed Security Services, was quoted in Biz Report:

[W]e keep seeing enterprises simply throwing bodies at the problem when what is really needed is a better staff training, more budget support to hire the right personnel and additional assistance from experienced third-party experts to help amplify the more complicated and demanding areas of security like testing, monitoring and incident response.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba