Sometimes our annual Strategic Security Survey can be plodding. The responses tend not to vary much year over year, and we've come to know what to expect: Companies have core information security tools, and they know where the threats are coming from, yet they still get hammered. And it's not just small or clueless companies that get breached; attackers took some notable scalps recently. For instance, EMC's RSA unit, which should know a thing or two about protecting its information assets, fell to the one-two punch of a targeted phishing email with a malicious attachment.
But in this year's survey, we were pleasantly surprised to see movement--and in a positive direction. The biggest change in 2011 is in the area of executive involvement in security policy and budgets, indicating that businesses are finally understanding that when it comes to security, everyone needs to pay attention. But this heightened executive involvement also means more scrutiny for security executives and managers. CEOs want to see results.
Our 2011 Strategic Security Survey report also collects new data on mobile devices. Security pros are gauging the threat that smartphones and tablets represent to the business. The top-level takeaway: Few companies are panicking about mobile risks, but few are ignoring them.
You Have Their Attention
A common complaint from security pros is that top executives don't consider security a priority. As one survey respondent comments, "Upper management rarely considers the value of security--until an attack or breach occurs."
But this reactivity may be changing. Our survey results show a tiny increase in security budgets for 2011 vs. 2010: 38% of respondents say their security budget will increase this year, compared with 36% in 2010. This isn't an increase to crow about, but money follows priorities, so it's a sign that more attention is being paid to security.
We're also seeing encouraging movement around management buy-in and adequate funding, long regarded as a problem among security pros. Only 23% of the 1,084 survey respondents list that as a challenge this year, compared with 27% last year.
When asked what might increase their companies' vulnerability to attack, the number of respondents citing "budget constraints" fell by 8 percentage points compared with 2010, from 38% to 30%. And those who cited a lack of senior management attention or interest fell by 3 percentage points, from 28% to 25%.
Other survey results also are promising. For instance, both the CEO/owner and CFO are showing an increased involvement in security policy decisions and security spending. In 2010, only 27% of CEOs and presidents were said to be involved in security policy decisions; in 2011, it jumped to 34%. In 2010, 46% of CEOs and presidents were said to be involved in security spending decisions; in 2011, it jumped to 52%. As for CFOs, 56% are involved with security spending, according to our 2011 survey, up from 52% in 2010.
By themselves, these numbers aren't eye-popping, but when taken in aggregate, they indicate that executive attitudes about security are changing.
Having your CEO and CFO involved has significant benefits. They can become allies to support your agenda and decisions among your business peers, as well as at the board level. They will press you on how and why certain things are done (or not done), forcing you to justify them. This becomes an opportunity to educate them, as well as share your strategy and vision for your company's security program.
However, executive attention can be a double-edged sword. Now that business leaders are paying more attention, they will demand results, measured in the number of attacks thwarted, reduced time spent addressing security problems, and other ways. If IT and security teams don't execute, it could put the future of security funding in jeopardy.
Therefore, it's critical that security leaders know what and how to communicate with executives, especially executives who don't regularly deal with security issues. We recommend that you focus on scenarios and real people in your company to express how or what is improving. For example, if Bob the CFO is known for emailing links to funny stories or photos, use that as an example of how someone could easily mistake a malicious link for a trusted one. The more you can integrate your people and company's practices into the security scenario, the more likely executives will grasp the dangers.
Furthermore, analyze and communicate security metrics in a timely fashion--for example, the number of malware infections, blocked attachments containing confidential data, or the number of blocked connections to potentially malicious sites. You can trend and graph such data. Techniques such as the trailing 12 months method can be used to normalize out cyclical spikes, such as the increase in attacks around Christmas.
If you have to run a security project or set of policies for six months to a year before you can determine they're effective, you may not get the support you need because the timeline is too long. Monthly or even weekly indicators that you can communicate to the executive team will keep them informed, show you're moving in the right direction, and help you adjust more quickly to threats because you'll get information sooner.
In addition, focus on the overall accuracy of the information instead of granular precision. For example, communicating that there's an 18% to 22% chance of X occurring is better than stating there's a 20.15% chance.
One other thing: Lose the geek-speak. Your job is to translate complex technical information to people who are more schooled in business than computers. Unless you're giving a talk at Black Hat or ShmooCon, don't load up presentations with detailed discussions of cross-site scripting or buffer overflows in order to dazzle executives with your knowledge. You'll only make them bored or impatient--and that won't help your case.
If you're getting more funding, you may be tempted to spend it on products. Yes, an IT organization needs a comprehensive toolset, but we think you get more sustainable results by hiring smart security people instead of buying more stuff.
Why? There's a limit to what products can achieve. Respondents to this year's survey rate pretty much every security technology we listed as less effective than respondents rated them last year. The tools they rated most effective--firewalls, VPNs, and data encryption--are already in place in most companies
You need people and processes to make security more effective. Don't give short shrift to daily tasks such as analyzing logs, reading reports, and updating systems. And don't underestimate the importance of human ingenuity and creativity. It's easy to throw money at a tool and declare the company is more secure, but we think you'll get a better ROI on people.
One area where you can put those people to work is risk assessment. The news media's focus on particular attacks or vulnerabilities can send executives into a panic, but if a particular threat represents a very low risk to your company, it needs to be treated as such. Assessing risks is a much better alternative to running around trying to prevent every threat under the sun.
In our survey this year, 68% of respondents said their companies perform risk assessments. Of that 68%, 30% rate them as very effective. We find that percentage to be rather low considering the amount of research available on the value of risk management frameworks.
So how do you make your risk assessments more effective? One simple step is to use the data you collect. We're amazed that our recent IT Risk Management Survey shows that only 25% of companies use risk assessments to arrange their information security priorities.
When we asked in our survey this year which types of security breaches are top of mind, malware and phishing topped the list, though the percentage of respondents expecting those attacks fell from a year ago. A larger percentage of respondents, however, expect mobile application intrusions--33% this year compared with 23% last year, the biggest year-over-year increase of the 11 breach types in our survey. In fact, most of the other attack types seem to be declining.
What makes mobile so hot? Surely the rapid rise of smartphones and tablets. Employees are bringing their iPhones, iPads, and other personal devices into the enterprise, calling on IT to link them to email and other corporate apps. At the same time, the Web makes it easy for workers to use productivity tools like Google Docs, Dropbox, and Evernote with or without IT's blessing.
For example, Evernote is a popular Web application that synchronizes notes across a user's client devices and the Web. Confidential information from meetings and conference calls are stored in Evernote and synced online. Almost every executive I know with an iPhone or iPad uses the app.
There are two major problems: device security and application security. We'll start with device security. In the old days (that is, three or four years ago), your smartphone choices were pretty much BlackBerry or Windows Mobile, and most of those devices were sanctioned and supported by enterprise IT.
Today, there are more than 100 Android flavors because each handset maker changes the operating system to suit its own requirements. Throw various tablets onto the pile, including those from Avaya, Cisco, Hewlett-Packard, and Research In Motion, and you've got a serious mess on your hands. This trend is called the consumerization of IT. As one CIO said at a recent gathering: "Consumerization is a parade. You can either try to stop it and get trampled, or grab the baton and lead the parade."
Mobile Device Management
Our survey respondents are aware that the parade is headed their way. Almost a quarter of them see mobile devices as a significant security threat. Another 46% say they're a minor threat. The good news is that 53% of respondents have mobile security policies in place. The bad news is that 44% say they either don't have any policies or don't enforce the ones they have.
So how do you deal with all of these different devices connecting to your network? In our experience, most companies aren't; they simply let any device connect and then rely on user names and passwords to authenticate and authorize the user.
A better approach is to implement proper mobile device management (MDM), especially companies with large numbers of users, because their manual processes can't scale. Handset makers are constantly rolling out new phones with new software versions, and employees change devices quickly to get the latest and greatest features.
MDM software, from vendors such as Echoworx and MobileIron, lets you control which devices connect to corporate services such as email; lets you determine which apps users can and can't install; and performs critical functions such as remote wiping and device recovery.
Remote wipe is a must-have, according to our survey respondents. When we asked about top mobile security concerns, losing a device containing corporate data topped the list. And it's not just lost devices that should concern IT. Employees can swap an old phone for new one at a carrier's wireless store. Do you trust the user, or store, to wipe the phone properly?
A third of survey respondents have MDM software in place, and another 36% are evaluating it.
The other side of mobile security is the applications that run on the devices. There has been a rash of Android-related Trojans and malicious apps since March, and we don't expect the trend to stop. Android's capability to use other app stores that may not be policed as well as the Android Market will lead to additional compromises.
If your company is developing or plans to develop mobile applications, get involved immediately. The same problems with traditional software development, such as hard-coded passwords, man-in-the-middle attacks, and storage of sensitive data, exist in the mobile world, too. New exploits allow different types of mobile devices to be exploited and give attackers access to personal data, steal identities, and filter the communications between the user's bank website and mobile banking app.
Another mobile application threat comes with the use of Quick Response (QR) codes or Microsoft Tag codes, which are the little squares that replace bar codes on ads and products. These codes can be scanned by a smartphone running an application such as Microsoft Tag Scanner or ShopSavvy. Marketing folks are adopting these codes to interact with and track potential buyers.
For example, customers can scan the QR code on a product in the grocery store, and if they tweet about it or "like" the company's Facebook page, they receive a coupon or other enticement. Companies such as Best Buy and Home Depot are using these codes in every store and weekly ads.
The problem with the QR code scanners is that most of them don't show the user the URL or a preview of the website after the code is scanned. They simply load up the browser on the smartphone and send the phone's browser to the URL stored in the bar code. If the website is a malicious site, or a link to install a malicious app, how would the user ever know?
Information security professionals have a difficult job. There are a hundred ways for sensitive information to be pilfered or exposed and services to be compromised or disrupted. Security teams have to do everything right all the time, while attackers have to only do something right once to wreak havoc.
This Herculean task could be made easier with executive and organizational support. That's why we're pleased to see signs that this might actually be occurring. We'll check back next year to see if the results discussed here are the start of a trend, or a statistical aberration.
Meantime, security leaders have an opportunity to influence this outcome. Take advantage of this higher profile in the company to drive strategies and provide measurable indicators of success. In fact, the burden is now on security pros: With increased scrutiny comes a greater imperative to deliver, and executives will want a return on their investment.
Of course, security teams will still struggle with a lack of resources, increased volumes of attacks, and the growing complexity of today's networks. Mobile devices, social media, cloud computing, and other new technologies will challenge existing policies and processes and force security teams to stay abreast of potential new threats. But overall, 2011 shows encouraging signs for security professionals.