Managing the growing complexity of security is keeping IT professionals up at night, according to the latest findings of InformationWeek's 2012 Strategic Security Survey. More than half of the 900-plus IT and security professional respondents say it's their greatest network security challenge.
And they're right to be worried. Overall, the state of organizations' security programs is "adequate for compliance, but not good enough to prevent even basic attacks,'' says Michael A. Davis, CEO of Savid Technologies, a Chicago-based technology and security consulting firm, who authored the report on the survey findings. The problem, from Davis' standpoint, is that most programs are broad and cover all the various compliance requirements, from cloud security, business continuity and disaster recovery to mobile devices and everything in between.
"Sadly, though, most programs don't include good metrics programs to gauge their effectiveness, and most focus on meeting the minimum requirements, rather than taking a best practices-based approach that is customized to the environment at hand," Davis says. He adds that he sees many policies being adapted from other companies, especially if a new CSO borrowed them from a previous employer. "These adaptations help meet compliance quickly, but aren't always customized to the environment and don't accurately reflect real life."
Organizations tend to focus on the latest threats, rather than what they're vulnerable to, observes Davis. "For example, mobile security is everywhere, and it seems every company is looking at the problem and investing time and money to solve it," he explains. "Yet mobile threats are miniscule compared to real threats that have had a consistent impact on organizations, such as phishing, SQL injection and malware." Organizations need to deal with what's more likely to happen, rather than "the latest and greatest threat" being publicized, he emphasizes.
Most organizations aren't measuring the effectiveness of network security using metrics, he says, which means they have no way of determining if they're doing a good job. "Sadly, the yardstick for a good security program during the past 10 years has been whether you are compliant or not," Davis says. "Compliance means nothing. You can be compliant yet insecure." He says the new Service Organization Control 2 and SOC 3 will help organizations move into measuring effectiveness, since these new attestation reports require not just a single point-in-time review, but also proof of effectiveness over time. But Davis says most organizations are very slow to adopt the reports.
Next: Cloud Security a Concern; Mobile Devices, Not So Much