At the beginning of every year, experts feel compelled to make predictions about the kinds of security threats we’ll see in IT in the year ahead. While predictions can be interesting, they typically are little more than an extension of recent security threat trends. As long as the trends continue, the prognosticators look pretty smart.What I find to be more compelling than predictions based on what happened last year are the annual “state of security” studies performed by various consultants and vendors. These anonymous surveys and studies provide the real insight as to the thinking of enterprise security professionals and how they are investing their limited budgets to prepare and protect their enterprises from the ever-changing threat vectors and risks.
I live along the Gulf Coast, where predicting and watching for tropical storms is an annual ritual. It’s no wonder, then, the from PricewaterhouseCoopers report , “The Eye of the Storm - Key findings from the 2012 Global State of Information Security Survey” caught my eye with its security metaphor to predicting and preparing for destructive storms.
PwC alludes to the similarities of tropical depressions and security threats, saying that “tropical storm eyes typically exhibit significant fluctuations in intensity and can create headaches for forecasters.” “Threats to security – like the weather – are hard to predict,” PwC writes. “Predictions aside, what matters most is preparation.”
Truer words have never been written. Why? The unfortunate fact is, information security has been and continues to be reactionary. Companies implement new technologies and solutions to prevent known threats, and then it’s not long until new threats emerge to counter the security controls. It’s a vicious cycle. As technology evolves, so do the threats and their motives, which range from monetary to state funded espionage.
How do organizations keep out of the headlines? One word: preparation.
Here are some PwC’s key findings of how well companies are prepared for the storm:
- To no one’s surprise, mobile devices and social media present both a significant new risk and a corresponding demand for mitigation. Organizations are increasing their efforts to prevent mobile- and social media-based attacks, with 43% of respondents having a security strategy for employee use of personal devices, 37% having a security strategy for mobile devices and 32% having a security strategy for social media.
- More than four out of ten respondents indicate that their organization utilizes some form of cloud computing, with 69% of those companies using SaaS, 47% using IaaS, and 33% using PaaS. 54% of the organizations indicate that cloud technologies have improved security, while 23% say it has increased vulnerability. Overall, the largest perceived risk is the uncertain ability to enforce service provider security policies. Others risks include inadequate training and IT auditing, questionable privileged access control at the provider site, the proximity of data to someone else’s and the uncertain ability to recover data if necessary.
- When asked to identify the highest hurdle to improving information security, responses vary by role. CEOs believe the primary obstacle is the lack of capital, but they also acknowledge that they themselves, along with the Board of Directors, are also hindrances. CFOs agree with that assessment. CIOs and CISOs say the biggest obstacle is the lack of an actionable vision, followed closely by the lack of an effective information security strategy.
- More than 70% of respondents feel confident in the effectiveness of their organization’s information security capabilities. This indicates that information security is viewed as a critical business function rather than a “patchwork of technical guesses” or merely a line item in the CIO’s budget.
PwC suggests that organizations use the information within their report to help define a vision for their unique information security programs and then define or refine their information security strategies.
Moreover, at minimum, make sure that the strategy brings an acute and prioritized focus on these four critical elements: (1) leadership, (2) strategy, (3) alignment with the business and (4) a customer-centric approach.