First, the good news: IT has to put less effort into getting buy-in and sufficient funding for security. The bad news? Fifteen percent of organizations report being more vulnerable to attacks and data breaches--the same percentage as last year, according to InformationWeek's 2012 Strategic Security Survey.
In fact, that figure has been fairly consistent since 2009, notes Michael A. Davis, CEO of Savid Technologies, a Chicago-based technology and security consulting firm. Davis authored the report on the survey, in which more than 900 IT professionals participated.
The No. 1 reason cited for the increased vulnerability is the increased sophistication of the attacks, followed by the number of ways to attack a corporate network. Davis says one notable change was a 10-point jump in the percentage of respondents who cited growing volumes of data as a factor in their increased vulnerability.
Also mostly unchanged is that 19% of companies reported experiencing a breach this year; that's compared with 20% in 2011. What are the effects of those attacks? While 42% reported in 2011 that network/business applications were unavailable, that number decreased to 35% in 2012. Some 30% also cited intellectual property theft/information confidentiality was compromised in 2012, virtually unchanged with last year's figure of 31%.
Add to the mix the fact that too many disparate mobile security policies are also leaving organizations vulnerable, and it would seem like a no-brainer that management would increase spending on security. Yet, that isn't happening--security spending remains stagnant or about the same; 31% of respondents said security budgets would increase in 2012, compared with 38% in 2011, while 52% said it will remain about the same, compared with 49% last year.
The most surprising aspect of the survey findings is the lack of secure software training and secure software development, says Davis. "Given that we have seen SQL injection at the top of every vulnerability list for at least three years, you think organizations would have a plan in place to address these types of security issues, yet most don't."
Davis says if software is being developed in-house and IT isn't addressing software vulnerability, management needs to start that, pronto. "There are tools such as static and dynamic code analyzers that can put big dents in the number of security issues your software developers are creating," he says. "If you don't have money for tools, work with the PMO or software development life cycle to add in risk assessments and threat modeling to at least get in front of insecure software design, while you build the business case for the tools."
IT isn't adapting to the current threats and trends, Davis says. "They are running around like chickens with heads cut off and getting nothing done," he says. "If it was up to me, I would ask most security professionals to take three months and not read a single news piece on the latest threats or trends and focus on getting at least one new prevention and detection [technology] fully in place that solves one of their vulnerabilities."