IT security professionals are becoming increasingly frustrated because the priorities of the business frequently leave the security department short of the time and resources it needs to fight the most critical threats, according to a new study released today.
According to the 2015 Black Hat Attendee Survey, nearly three quarters (73 percent) of top security professionals think it likely that their organizations will be hit with a major data breach in the next 12 months — but they won’t have enough time, money, or skilled staff to handle the crisis.
The survey polled some 460 infosec professionals, 61 percent of whom carry “security” as a full-time job title, and two thirds of whom carry a CISSP or other professional security credentials.
“I am continuously frustrated by the amount of time, money, and angst I spend on compliance and certifying our security posture,” said one survey respondent. “I often feel that security actually suffers because these tasks pull time and attention away from ensuring systems are secure and non-compromised.”
In the study, the vast majority of security professionals – 57 percent — cited sophisticated, targeted attacks as their greatest concern. Yet, only 26 percent of respondents indicated that targeted attacks were among the top three IT security spending priorities in their organization, and only 20 percent of respondents said that targeted attacks were among the top three tasks where they spend the most time.
More than a third of the Black Hat survey respondents say that their time is consumed by addressing vulnerabilities in internally-developed software (35 percent) or in off-the-shelf software (33 percent). Meanwhile, their budgets are often consumed by compliance issues (25 percent) or sealing accidental leaks (26 percent), leaving them short of resources to fight the real threats.
“Many times, senior leadership is trying to compile data on complex security tasks to report up the chain to someone who is compiling and rolling up data even further — at which point the relevance of the reported data is completely useless,” said one respondent. “Yet, I am required to spend vast amounts of resources dedicated to the collection of meaningless data.”
While compliance and software vulnerabilities require a disproportionate amount of budget and time, many security professionals feel that media and public perception cause attention to be deflected from the most critical issues in IT security.
“Close to half (41 percent) of respondents believe that the media has overplayed the issue of domestic government surveillance, and more than a quarter (27 percent) say the media focuses too heavily on hacktivists and politically-motivated attackers,” the Black Hat report says. Among management, security professionals perceive a high rate of concern (29 percent) over malicious insiders, which was a top concern for only 17 percent of security professionals.
“Similarly, many Black Hat attendees feel that key threats are being overlooked,” the report continues. “Twenty-six percent of respondents say that phishing and social engineering do not get enough attention in the media and at industry events. Accidental data leaks by end users and new vulnerabilities introduced by off-the-shelf software are also areas that are do not receive adequate attention,” Black Hat attendees said.
“I am infinitely frustrated that my efforts are not put towards more productive endeavors,” said one respondent. “Security budgets are under intense scrutiny with the headlines, but these budgets will fade as quickly as the headlines. Reprioritization is a must for any organization.”
Nearly a third (31 percent) of Black Hat attendees cited end users as the weakest leak in the security chain. “The biggest roadblock I have is a lack of cultural importance on security,” said one survey respondent. “Trying to convince people to take extra steps — better password management, regular patching, security audits, etc. — is nearly impossible when the company doesn’t feel those steps are important.”
Other Black Hat attendees agreed. “We have programs in place to educate the employees, but high turnover and general apathy are a constant problem,” said one.
But one fifth of respondents (20 percent) said a heavy focus on single-purpose solutions and technologies is creating a growing roadblock to the development of a comprehensive security architecture. These respondents cited “a lack of security architecture and planning that goes beyond firefighting” as their weakest link.
“A good deal of budget needs to be created for actual architectural work to ensure the foundation of the IT solutions that we provide to our customers is secure — and that the design of these solutions implements sound security principals,” one respondent said.
While Black Hat attendees differed in their views on the weakest links in the security chain, most agreed that they do not have enough resources to defend the organization. “Only 27 percent of respondents said they feel their organization has enough staff to defend itself against current threats; nearly a quarter (22 percent) described their security departments as being ‘completely underwater,'” the report says. “Similarly, only one third (34 percent) of security pros said their organization has enough budget to defend itself against current threats; 21 percent said they are ‘severely hampered’ in their defenses by a lack of funding.”
One survey respondent put it even more bluntly: “I feel like I am living below the poverty line,” he said. “My house has dozens of holes, and I have to choose between feeding myself or spending money on fixing the holes.”
Enterprises and their security organizations must rethink their priorities and their allocation of resources to match the current threat, the 2015 Black Hat Attendee Survey states.
“The central message that comes across in all of these questions is that while sophisticated security professionals are increasingly convinced that a major breach is inevitable, most of those security pros do not feel they have the resources and training they need to defend their organizations. The combination of these responses should ring warning bells to the industry that security defense strategies and resources need serious rethinking, and that the people who walk the walls and guard the doors are not confident in their ability to keep online adversaries out of enterprise systems and data.”