A new survey reported by csoonline.com says close to four out of five IT professionals were pressured into deploying inadequately secured software. The survey conducted by Trustwave also found more than 60 percent of respondents said that these rollouts happened one or two times per year, while 16 percent said they happened frequently.
More than 830 CIOs, CISOs (Chief Information Security Officers) and IT security directors and managers at companies with 250 to 5000 employees in the U.S., UK and Germany were surveyed between mid-December 2013 and mid-January 2014. Fully half said the most pressure came from company owners, boards and C-level executives while a third of respondents said the most pressure came from direct managers.
From just those numbers, it would appear telling upper management it didn’t know what it was doing is not the optimum career path to corporate success.
csoonline.com’s Antone Gonsalves asked several experts what they made of the survey’s results:
The findings were not a surprise to Drew Porter, senior security analyst for consulting firm Bishop Fox. Porter often works with companies to plug vulnerabilities in IT that was deployed too fast in order to get competitive features to customers and partners. “They want to have these features and they want it right now,” Porter said. “They worry about the security afterward.”
An example Porter runs into often is a wireless connection to a corporate portal made available to people and employees visiting a company’s campus. HTTPS is often not properly used for secure communications and it is not unusual for companies to skip the requirement of a username and password.
Such poor protection does not sit well with security executives and managers who will sometimes call in consultants to do a security review, so vulnerabilities can be documented and brought to the attention of C-level execs and boards.
“The consultant writes the report, giving the security team ammo to take to upper-management and say, ‘These are problems that we have to fix; these are high-critical items.'”
The emerging technologies that carried the greatest security risks were cloud services, mobile applications and technology to accommodate employees’ desire to use their own mobile devices for work, a trend often referred to as “bring your own device (BYOD),” the study found. Deploying social media was also considered a top risk.
The market pressure to use new technologies is causing security execs to go beyond their level of expertise, Renee Murphy, analyst for Forrester Research, said.
“CISOs are dealing with the pressures of the business telling them to innovate when clearly the (security) technology hasn’t caught up or at least their understanding of the technology hasn’t caught up,” Murphy said.
Securing the wide variety of mobile devices executives and employees want to use on the corporate network is a good example of what’s causing migraines for security pros, Murphy said. Up until the last few years, security executives only had to worry about PCs connecting to networks.
“They’re now having to do crazy amounts of stuff in order to support everything that shows up in their environments everyday,” Murphy said. “I feel their pain.”
For the current situation to improve, business people and security pros will need to come together and work on a “holistic approach” to securing new technologies, Murphy said.
“Security and risk don’t have to inhibit innovation,” she said. “Innovation might have to go a little bit slower in order to accommodate it, but there’s no reason they can’t coexist.”
Overall, a majority of respondents said the pressure to secure their organizations increased last year from 2012 and they expect to experience a similar rise this year, the report found.
The greatest concern was falling victim to a targeted malware attack, followed by the threat of phishing and hackers exploiting unknown vulnerabilities.
The greatest worry from an attack was the loss of customer data, with intellectual property theft coming in second, according to the report. Reputation damage, fines or legal action were less of a concern. To reduce security pressure, more than eight in 10 respondents listed hiring more staff. However, the survey indicated that upper-management appeared to favor hiring managed security service providers. The majority of respondents already partnered with MSSPs or was likely to do so in the future.
Other items on the wish list of security execs included more skills and expertise and more time to focus on security.
ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real time identity and access analytics that leverage the world’s largest trusted identity network.