Security Investments and the Definition of Insanity
A survey of IT professionals finds companies continuing to prioritize network perimeter protections – with little to show for it.
There’s the dictionary definition of insanity – “severe mental illness” or “the condition of being insane.” And then there’s the popular urban dictionary/Einsteinian definition of insanity, which is “doing the same thing over and over again while expecting a different result.”
That latter definition may apply to the way many firms are structuring their information security programs and investments, if the results of a recent survey of 1,100 information technology “decision makers” is to be believed.
That survey, the recently published Data Security Confidence Index, found that employers were increasing investments in traditional perimeter security tools like firewalls, antivirus, and content filtering tools. A strong majority of the surveyed IT decision makers – 61% – expressed confidence that those investments were effective at keeping unauthorized users out of their network.
But, of the surveyed IT pros, 64% said that their organizations had experienced a breach within the last five years, and more than a quarter (27%) admitted to working for a company that had experienced a breach in the last 12 months – a surprising figure. Paradoxically, 69% of those surveyed said they are not confident that their organization’s data would be secure if their perimeter security was breached.
The Data Security Confidence Index (DSCI), compiled by the security and identity management firm Gemalto, revealed the strange disjunction between information technology spending and need. Namely: perimeter security technologies still account for much IT spending, even as IT professionals recognize that their networks would not fare well should those protections fail.
Sixty nine percent of the 1,100 IT decision makers Gemalto surveyed surmised that their organization’s data would not be secure if an unauthorized user penetrated their network. That’s especially troubling given that a strong majority of those surveyed (66%) acknowledged that unauthorized users could do just that – with 16% predicting that an unauthorized user could access “the entire network.”
The recent spate of massive password leaks, including collections of millions of passwords from MySpace, LinkedIn and – most recently – Twitter suggest that concerns about the security of data held by even sophisticated firms are not overblown. The leaks of credentials also have ripple effects, as attackers look to leverage credential re-use to infiltrate other organizations (see also: Mark Zuckerberg).
So what’s going on? Dig into the DSCI data and what you find is evidence of a not-yet-complete transition. True, spending on perimeter defenses is projected to rise by the 1,000 plus IT decision makers Gemalto surveyed. But so are investments in data security technologies and identity and access control. In fact, 63% of those surveyed reported that their organization would increase investment in data security in the next year, only slightly lower than the 68% of those surveyed who said that about perimeter security investments.
Moreover, those surveyed seemed happier with the amount of money being spent on IT security and where it is going. Seventy seven percent of those surveyed were happy with how much their organization spends on security, up from just 50% in 2014, according to the report. 85% said they believed that the current investments are going to “the right security technologies.”
What is also clear, however, is that IT decision makers would adjust the mix of investments from where it is now. Asked how they would allocate IT security budget if they could, 51% of those surveyed said they would put most of their budget into data security, while just 32% said that about perimeter security – a big shift from where spending sits today.
That simply reflects the reality of data breaches. Companies today face diverse threats and persistent, sophisticated adversaries. Neither perimeter nor data security tools are sufficient, alone, to “solve” the breach problem. In fact, when respondents whose organizations had been breached were asked to describe the source of the breach, most said that both external and internal sources were responsible for the incident.
So where does that leave us? IT professionals are clearly at a crossroads.
Traditional security investments such as firewall, antivirus and intrusion detection are just as needed now as they were a decade ago. In fact: given a choice of just one security technology to have to rely on, perimeter defenses were the choice of most respondents. AND it’s clear that IT professionals recognize the limits of those technologies, especially in the face of nimble and fast-evolving threats. Given limited IT budgets, of course, one technology’s gain is often another’s loss. Still, it’s worthwhile for companies to consider their mix of technologies and investments with an eye to the future, not the past.
Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum, a one-day security and Internet of Things event that takes place in Cambridge, MA on September 22.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business