We stated in our 2012 Strategic Security report that information security pros are quick to pin the blame for problems on end users, the CFO, vendors, developers -- anyone but themselves. Harsh? Yes, but our criticism of this tack seems to have gotten through: Our 2013 data shows that security professionals are ready to take ownership of their strategies.
Between 2005, when we first offered the option, and 2012, managing the complexity of security was cited as the No. 1 information or network security challenge facing respondents to InformationWeek's annual Strategic Security surveys. We anticipated more of the same this year, given the angst over mobility and cloud and complaints about not enough money, breaches of customer information and shadowy attackers with time and resources to burn.
We were wrong.
Among the 1,029 respondents to our 2013 Strategic Security Survey, all of whom work at companies with at least 100 employees, we saw a 14-point drop (from 52% in 2012 to 38%) in the percentage saying that managing the complexity of security is among their top challenges. Moreover, among respondents saying they're more vulnerable to attack now than a year ago, we saw a 19-point dip (from 44% in 2012 to 25%) in those who blame having an increasing amount of customer data to secure -- always a bogus excuse. We saw a five-point rise in the percentage saying end user security awareness training provides significant value (from 49% to 54%).
That's not to say everyone is feeling better about their security capabilities. There has been growing concern since our 2011 survey in some areas, mostly around the human element. This year we saw an 11-point increase in the percentage that cite controlling user access to systems and data as a top challenge (from 22% in 2012 to 33%). Enforcing policies is now seen as the No. 1 challenge.
But notice the common threads: awareness of processes and risk, two topics that security pros traditionally avoided at all costs. Recognition of process and risk management shows us that infosec pros are thinking about strategy, not just products and tactics.
Respondent comments back this up. A chief systems engineer in the U.S. military cites a lack of settings management -- securely configuring a device instead of just leaving the defaults -- as the top cyber risk. "Yet we do very little about it," he says. Adds another respondent: "Security risk management is about tools, but it is also processes, training and procedure." And our favorite: "Social media and BYOD successfully broke the back of infrastructure security," says a commenter at an engineering firm. "Incidents are now so common that they no longer elicit any reaction other than endpoint cleanup."
Have we finally realized that compromising people is much easier for attackers than compromising properly configured technology? Is security finally becoming a core discipline of IT and, potentially, the overall business?
To read the rest of the article,
download the May 27, 2013, issue of InformationWeek.