Security pros actively hiding negative facts from executives
A new Ponemon Institute study exposes a severe gap in security visibility and perception between C-level executives and IT security staff.
In nearly 60 percent of the organizations, responsibility for managing the impact of business or technology change on security posture resides with C-Level executives (CSO, CISO, CIO, CTO, etc.), and in 66 percent of the organizations surveyed, executive and Board perception of security is “high.”
However, the information on which that perception is based is incomplete, with 60 percent of IT security staff informing executives of specific risks only when the risk is deemed “serious,” or not at all – and in more than half of the cases, actively omitting negative facts.
In the shadow of the historic Target breach, and the revelation that Target management ignored security alerts, the findings could not be more telling, and they go to the core of what appears to be an endemic issue across every industry.
Study author, Dr. Larry Ponemon, stated, “What is most concerning is that it would seem security in many organizations is based on perception and “gut feel,’ versus hard data. The stakeholders with the highest responsibility seem to be the least informed – a view that is amplified externally. We also found that executive perception of security “strength’ had a virtually identical percentage (63 percent) in external partners, and we know that third-party failings also had a hand in the Target breach.”
Diving more deeply into the specific numbers, it quickly becomes apparent that the root causes of the broken communication and resulting vulnerability lie in an organizational inability to accommodate change and accurately set, measure and improve metrics to manage its impact, specifically:
- While a vast majority (74 percent) sees security metrics as important, 69 percent see an issue of metrics conflicting with business goals and 62 percent feel that current metrics don’t provide enough information.
- More than 40 percent see Cloud and mobility/BYOD as the technologies with the greatest impact on security effectiveness. Yet, specific to Cloud, 46 percent say that current metrics can’t quantify the full security impact of Cloud models.
- This inexact measurement of change leads IT security staff to rate their agility (57 percent) and effectiveness (56 percent) to accommodate change as “low.” As a result, 64 percent rate their organization’s overall security posture as “moderate” or “low.”
The study surveyed 597 individuals who work in IT, IT security, compliance, risk management and other related fields at Fortune 500 class organizations with 1,000 or more employees.
Jody Brazil, president and CTO of FireMon, comments: “The biggest issue is that IT security teams are flying blind. Networks are becoming more complex and expansive, while we freeze or reduce the resources tasked with managing them. The fact that the study shows 60 percent performing manual auditing or none at all is alarming.”