The latest Strategic Security Survey from InformationWeek shows security professionals are having a tough time keeping up with the complexities of IT security. Unfortunately, they may also be missing some of the most relevant threats to their information security because they tend to focus too closely on making sure they meet compliance requirements.

More than half (52 percent) of the survey’s 946 respondents list managing the complexity of security as one of the biggest challenges they face today. It comes in far ahead of other security challenges, such as enforcing security policies (39 percent), preventing data breaches from outside attackers (34 percent) and even meeting regulatory and industry compliance requirements, which only 21 percent of respondents consider one of their biggest challenges.

According to Michael A. Davis, author of the report on the survey and CEO of Savid Technologies, a Chicago-based technology and security consulting firm, companies seem to be meeting compliance requirements just fine. It’s the actual threat of a security breach that their security plans fail to address.

Most organizations’ security programs are “adequate for compliance, but not good enough to prevent even basic attacks,” Davis told Network Computing. “Most programs don’t include good metrics programs to gauge their effectiveness, and most focus on meeting the minimum requirements, rather than taking a best practices-based approach that is customized to the environment at hand.”

Things like conducting a risk assessment of a cloud provider, which just 29 percent of respondents do, are critical to ensuring that the security in place addresses your organization’s key vulnerabilities, according to Davis. Last year, only 18 percent of respondents conducted cloud provider risk assessment, so focus on this step is growing. But Davis suggests that it should be mandatory.

Sadly, the yardstick for a good security program during the past 10 years has been whether you are compliant or not.

Mobile devices, though talked about constantly, don’t seem to worry security professionals much. Forty-four percent of respondents consider mobile devices to be only a minor threat compared with 25 percent who consider them to pose a major threat to security. What’s the top mobile security concern? Security professionals are most worried about employees losing the devices, which makes sense when you consider how easy it is to leave a smartphone in a cab, on the train, or really anywhere.

Interestingly, while respondents are terribly concerned about mobile device security, most of them are making efforts to improve it. Seventy percent of companies are either using (31 percent) or considering (39 percent) a mobile device management system to set and enforce a single security policy across different types of devices. While these systems can provide the ability to wipe sensitive information from a stolen device, security professionals’ top concern, Davis cautions that these systems’ security features won’t work on every mobile device since mobile operating systems can vary widely. He also suggests that mobile threats are minor compared to things like phishing, SQL injection and malware, which deserve focused attention.

“Sadly, the yardstick for a good security program during the past 10 years has been whether you are compliant or not,” Davis told Network Computing. “Compliance means nothing. You can be compliant yet insecure.” Davis recommends that companies implement measurement to gauge their security success, and that they base the metrics on their individual circumstances rather than an arbitrary set of compliance rules.

Do you agree with Davis’s assessment of the state of IT security? Do you think your organization has focused on compliance at the expense of real threats to security? Or do you follow a best practice model to meet your unique security challenges?

Tags: , , , ,