Cloud Security a Concern, Mobile Devices Less So, Survey Finds

Managing the growing complexity of security is keeping IT professionals up at night, according to the latest findings of InformationWeek's 2012 Strategic Security Survey. More than half of the 900-plus IT and security professional respondents say it's their greatest network security challenge.

And they're right to be worried. Overall, the state of organizations' security programs is "adequate for compliance, but not good enough to prevent even basic attacks,'' says Michael A. Davis, CEO of Savid Technologies, a Chicago-based technology and security consulting firm, who authored the report on the survey findings. The problem, from Davis' standpoint, is that most programs are broad and cover all the various compliance requirements, from cloud security, business continuity and disaster recovery to mobile devices and everything in between.

"Sadly, though, most programs don't include good metrics programs to gauge their effectiveness, and most focus on meeting the minimum requirements, rather than taking a best practices-based approach that is customized to the environment at hand," Davis says. He adds that he sees many policies being adapted from other companies, especially if a new CSO borrowed them from a previous employer. "These adaptations help meet compliance quickly, but aren't always customized to the environment and don't accurately reflect real life."

Organizations tend to focus on the latest threats, rather than what they're vulnerable to, observes Davis. "For example, mobile security is everywhere, and it seems every company is looking at the problem and investing time and money to solve it," he explains. "Yet mobile threats are miniscule compared to real threats that have had a consistent impact on organizations, such as phishing, SQL injection and malware." Organizations need to deal with what's more likely to happen, rather than "the latest and greatest threat" being publicized, he emphasizes.

Most organizations aren't measuring the effectiveness of network security using metrics, he says, which means they have no way of determining if they're doing a good job. "Sadly, the yardstick for a good security program during the past 10 years has been whether you are compliant or not," Davis says. "Compliance means nothing. You can be compliant yet insecure." He says the new Service Organization Control 2 and SOC 3will help organizations move into measuring effectiveness, since these new attestation reports require not just a single point-in-time review, but also proof of effectiveness over time. But Davis says most organizations are very slow to adopt the reports.

Next:Cloud Security a Concern; Mobile Devices, Not So Much

They're responding faster to issues of cloud security, however. The survey found that 29% of respondents conduct their own risk assessment audits, compared with 18% in 2011. Fifteen percent do not perform any type of assessment, compared with 28% last year. Fourteen percent of respondents say they rely on the self-audit reports that vendors provide, such as the Statement on Standards for Attestation Engagements No. 16, or SSAE16, auditing standards that service providers use to attest to controls they have in place, the report notes.

Davis says that isn't adequate. "We don't recommend you blindly accept the reports vendors provide," he writes. "One reason is that each SSAE16 attestation contains different sets of scope and system descriptions, so one provider's SSAE16 may be dramatically different from another's."

The bring-your-own-device (BYOD) trend doesn't seem to worry security professionals: 44% say mobile devices present only a minor threat, compared with 25% who say they are a major threat. The numbers were similar in 2011. "Respondents who perceive mobile devices as a security threat say the loss of a device is the most significant security concern with mobile devices, and we agree," writes Davis. "These devices are easy to lose and easy to steal, so remediating the effects of a loss or theft should be the top priority for security teams."

The survey also found that 31% of respondents use mobile device management (MDM) software to set and enforce security policies, with another 39% evaluating or piloting them. Davis advises that while MDM software is recommended, organizations need to be mindful of its limits.

One of the more interesting survey findings, he says, is a marked increase in concern over mobile devices being used to remove sensitive business information--the number of respondents citing this jumped from 36% in 2011 to 44% in 2012. But Davis notes that data theft, particularly by insiders, is not a new network security threat.

In Part 2 of our report on InformationWeek's 2012 Strategic Security Survey, we explore how IT should deal with the complexity of managing information security.