The main culprit? Complexity, cited as the biggest security challenge by 62% of respondents. More data is ending up on the network. More agents are running on company computers, and employees expect some control over the PCs they use. As travel and energy costs skyrocket, companies are increasing the use of branch offices and teleworkers, a trend that spreads data far and wide as people expect to work securely from customer sites, home, or the coffee shop down the street.
Complexity also stems from juggling multiple compliance requirements, training and educating staff and users in security awareness, and coping with increasing technical sophistication of networks.
Most organizations-63%-must comply with one or more government or industry regulations, many of them vaguely worded and offering little guidance on translating requirements into technology. To meet compliance goals, Kevin Sanchez Cherry, information systems security office program manager with a U.S. government department, says he applies best practices, which he determines by consulting a variety of sources, including the National Institute of Standards and Technology, the SANS Institute, and colleagues facing similar challenges. By implementing best practices, he doesn't need to spend much time normalizing multiple compliance requirements.
There's never a shortage of attackers, or of vendors looking to sell us ways to repel them. Problem is, most products aimed at mitigating security problems address a relatively narrow set of threats, and there are many competing technologies to choose from. Countering an ever-widening range of threats across a broad spectrum of systems still requires a slew of these point products. Good for vendors, bad for IT.
And make no mistake, we're facing a burgeoning array of hazards, from external attackers to rogue employees to authorized users. While the faceless computer criminal is the scarier source, internal users are the bigger threat because they have trust, access, and knowledge. A few will have axes to grind, but the unwitting employee who's duped into forking over company secrets or allowing a breach to occur in an attempt to be helpful is much more likely. That's tough to combat even with rigorous processes and employee-awareness programs. Fully 35% say training to stop employees from sharing passwords is either somewhat or totally ineffective. Just 38% think they'll be successful at preventing employees from falling for social engineering exploits.
Sanchez Cherry suggests using real-world examples that are relevant to the intended audience, to make problems tangible. For example, a laptop containing private information was stolen in 2006 from the apartment of an employee of the Department of Veterans Affairs. This is a prime example of a well-meaning worker causing the loss of data. It's an opportunity for people like Sanchez Cherry to pound the lesson home.
RISK MANAGEMENT IS THE ANSWER
Compliance woes. Widening attack vectors. Gullible end users. What's an IT leader to do? The best way to focus information security efforts is, broadly, to stop thinking about vulnerabilities and start thinking about risks. No organization can plug every hole-there aren't enough resources and never will be. Even with an infinite budget, the threat landscape is ever changing.
Risk is, at its simplest, the chance that you'll suffer a loss because of a given activity. The risk management process uses people, processes, and products to reduce the likelihood that the unwanted event will occur, and if it should, to minimize losses. From an IT perspective, this is more than having a security policy in place-something nearly all but 54% of companies surveyed have managed to do by now.
IT needs to go against the grain and train itself to focus on the value of data and the likelihood it will be compromised, rather than on how a compromise might occur. The how is important to understand, of course, but once data is in the wind, there's no turning back.