They're responding faster to issues of cloud security, however. The survey found that 29% of respondents conduct their own risk assessment audits, compared with 18% in 2011. Fifteen percent do not perform any type of assessment, compared with 28% last year. Fourteen percent of respondents say they rely on the self-audit reports that vendors provide, such as the Statement on Standards for Attestation Engagements No. 16, or SSAE16, auditing standards that service providers use to attest to controls they have in place, the report notes.
Davis says that isn't adequate. "We don't recommend you blindly accept the reports vendors provide," he writes. "One reason is that each SSAE16 attestation contains different sets of scope and system descriptions, so one provider's SSAE16 may be dramatically different from another's."
The bring-your-own-device (BYOD) trend doesn't seem to worry security professionals: 44% say mobile devices present only a minor threat, compared with 25% who say they are a major threat. The numbers were similar in 2011. "Respondents who perceive mobile devices as a security threat say the loss of a device is the most significant security concern with mobile devices, and we agree," writes Davis. "These devices are easy to lose and easy to steal, so remediating the effects of a loss or theft should be the top priority for security teams."
The survey also found that 31% of respondents use mobile device management (MDM) software to set and enforce security policies, with another 39% evaluating or piloting them. Davis advises that while MDM software is recommended, organizations need to be mindful of its limits.
One of the more interesting survey findings, he says, is a marked increase in concern over mobile devices being used to remove sensitive business information--the number of respondents citing this jumped from 36% in 2011 to 44% in 2012. But Davis notes that data theft, particularly by insiders, is not a new network security threat.
In Part 2 of our report on InformationWeek's 2012 Strategic Security Survey, we explore how IT should deal with the complexity of managing information security.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
There are many network courses that can address your present job's priorities and help you gain the needed skills to keep pace with industry changes and new technologies.
