Networking

08:00 AM
Connect Directly
RSS
E-Mail
50%
50%

Utilities Don't Consider Security To Be A Strategic Priority, Ponemon Study Shows

Utility and energy industry executive management hasn't fully bought into IT security, according to a Ponemon Institute survey of IT and security practitioners in these critical infrastructure companies. Fewer than half the respondents said that security is a strategic priority across the enterprise, and only 29 percent said that their C-level executives fully understand and appreciate security initiatives.

Utility and energy industry executive management hasn't fully bought into IT security, according to a Ponemon Institute survey of IT and security practitioners in these critical infrastructure companies. Fewer than half the respondents said that security is a strategic priority across the enterprise, and only 29 percent said that their C-level executives fully understand and appreciate security initiatives.

Further, in the "State of IT Security: Study of Utilities & Energy Companies," sponsored by Q1 Labs, Ponemon reports that only three of 10 companies have clearly defined lines of responsibility and authority in security operations. "There's quite a disconnect between the IT security people, who we deal with day to day, and those in executive management, around the strategic importance of IT security," says Tom Turner, Q1 Labs senior VP of marketing and channels. "Against the backdrop of headlines, this was surprising."

Minimizing downtime, selected in 55 percent of the surveys, was by far the top security objective within the organization, followed by compliance with regulatory and legal mandates (38 percent). High-profile attacks such as Stuxnet notwithstanding, preventing or minimizing advanced persistent threats (APTs) was last on the list, at just 5 percent, and preventing cyber attacks was given short shrift compared with basic security goals, such as minimizing risks and vulnerabilities and improving the organization's security posture.

While IT and security personnel agreed that compliance was important to the organization, they don't think it's a major factor in improving security. Only 23 percent viewed compliance with standards such as the North American Electric Reliability Corporation-Critical Infrastructure Protection (NERC-CIP), a major security objective.

Negligent insiders and insecure Web applications (about four out of 10 each) are regarded as the top security threats to critical infrastructure, followed closely by "system glitches" (including process failures). The concern about negligence and system problems appears to support the high premium on up-time, and an overall message that the greatest concern is about internal failures rather than outside attack (11 percent of respondents cited malicious insiders as a top threat). Nation-state, terrorist or criminal syndicate-sponsored attacks were near the bottom of the threat list.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Twitter Feed