Survey Finds Yawning Gap Between Security Haves, Have-Nots
A survey comparing average companies with security leaders from the Global 1000 finds a vast gulf in readiness, including in the area of content security.
Gaps in wealth and sophistication aren’t just the stuff of social science and political debate. Increasingly, they also help us to understand the dynamics within marketplaces, including information security.
Observers have long noted the existence of what 451 Analyst Wendy Nather famously termed the “security poverty line” - the inability of some organizations to afford the remedies necessary to reach what Nather called “an effective level of security.”
As with privation in other arenas, security poverty comes down to a lack of financial resources. “When you don't have a lot of IT money,” Nather observed “you can't afford your own IT staff (or you go with whatever you can borrow or rent).”
As with poor families, companies below the security poverty line struggle just to get by. They’re not struggling to put food on the table – but they are struggling to keep systems patched, stomp out virus infections, provision and de-provision users, and so on. The tyranny of the day-to-day means there’s not time nor money for the kinds of long term planning and analysis of organizational risk, investment in new tools and processes and so on.
The security poverty line came to mind this week when I read the results of RSA’s new Breach Readiness Survey, which compared the results of 170 rank-and-file organizations against the security equivalent of the “1 percent.” Namely: members of the Security for Business Innovation Council, or SBIC. The SBIC firms are security leaders from among the Global 1000 companies – a group of the largest and wealthiest firms on the planet that includes Johnson & Johnson, JP Morgan Chase, T-Mobile, ADP, Walmart, Intel, Boeing Company and General Electric, among others.
The results of the survey are eye opening. On pretty much every measure of security “readiness” and response capability, the rank and file companies performed far below the level of SBIC members.
The gap between the “haves” and “have-nots” was particularly pronounced in the area of content intelligence, which RSA defined as “awareness gained from tools, technology and processes in place to identify and monitor critical assets.” These are things like log management tools, asset and vulnerability tracking and incident management tools.
RSA found that all of the SBIC companies polled had fully developed “content intelligence,” giving them the ability to “gather data and provide centralized alerting.” However, just over half of the 170 non-SBIC companies did.
On the issue of “analytic intelligence” – a term that RSA uses to refer to post-event threat analysis, the SBIC companies once again far outstripped their rank-and-file counterparts. 83% of SBIC firms polled said they have network forensics tools that can do full packet data capture and analysis. Just 42% of rank and file companies had that.
This isn’t an issue of what company or IT team has the newest, shiniest toys to play with. In a threat environment characterized by stealthy and sophisticated attacks, the right tools and talent can spell the difference between an incident that lasts three hours and one that lasts three months.
The companies that do best have “full-time, dedicated security operations staff” with “clearly defined management roles” in areas like security systems, intelligence and incident response and security data and analysis, RSA concluded.
Alas, few rank and file organizations can manage that. Just 30% of the rank and file firms had a formal incident response plan, compared to 100% of the SBIC companies polled. Close to 70% of the SBIC companies also frequently updated their IR plans based on lessons learned from incidents. Of the 30% of non SBIC firms with IR plans, just 57% “infrequently or never review or update those plans,” the survey found.
What’s the message? Unfortunately, security poverty can be as difficult to eradicate as other kinds of poverty. When you’re scraping just to be able to put food on the table, it’s hard to find the time to step back and contemplate the situation you find yourself in. Also, compliance demands have a way of eating into whatever IT security budget exists, directing much needed funds to areas of marginal benefit.
But many of the best things in security (as life) are free. Companies can take steps to improve their security organization at little or no cost: align IT and IT security. Clarify roles and responsibilities. Blow the dust off the incident response plans and read them to see how well they’re holding up.
Companies can create a group to review recent cyber incidents, assess incident response and distill “lessons learned.” From that, IR practices can be updated and roles clarified. At the end of the day, much of the heavy lifting to improve security outcomes doesn’t require new tools or technology. However, the results of the RSA survey make clear that there still is much work to be done.
Paul F. Roberts is the Editor in Chief of The Security Ledger.