In 2015, enterprises will spend more than $71.1 billion on information security – more than they have ever spent before, according to Gartner Group figures. Yet, the incidence of major data breaches shows no signs of abating. As enterprises continue to struggle with online attacks and data leaks, many are asking one common question: What are we doing wrong?
According to a survey of nearly 500 top-level security experts who have attended Black Hat USA, most enterprises are not spending their time, budget, and staffing resources on the problems that most security professionals consider to be the greatest threats.
The survey revealed a significant gap between the top concerns that keep security professionals awake at night, compared to the tasks that keep them occupied during the day.
Sophisticated targeted attacks: 57% of respondents indicated attacks targeted directly at their organization as their greatest concern. However, only 26% indicated that mitigating these attacks were among the top three security spending priorities in their organization. Further, only 20% said targeted attacks were among the top three tasks they spend the most time on day-to-day.
Social engineering: At 46%, the second greatest concern was phishing, social network exploits or other forms of social engineering. Yet, only 22% indicated their organization spends a large portion of their security budget here. And only 31% indicated that they spend a large amount of their time on social engineering.
More than a third of Black Hat attendees said that their most time-consuming tasks are in addressing vulnerabilities introduced by internally developed software (35%) and vulnerabilities introduced by off-the-shelf software (33%). The data suggest that application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.
Nearly three quarters (73%) of respondents think it is likely that their organizations will have to deal with a major data breach in the year ahead. A key reason for security professionals’ con- cerns about future attacks is the shortage of resources that they feel in their own organizations:
Staffing shortage: Only 27% of respondents said they feel their organization has enough staff to defend itself against current threats.
Measly budgets: Only one-third (34%) said their organization has enough budget to defend itself against current threats.
In Need of training: While 36% said they have the skills they need to do their jobs, some 55% said they could use some training.
The combination of these responses should serve as a warning to the industry that security defense strategies and resources need serious rethinking, and that the protectors of the enterprise are not confident in their ability to keep adversaries out of systems and data.