There’s Still Not Enough Insecurity about Security
In theory at least IT organizations should be employing the services of managed security service providers (MSSPs) in droves. After all, every day the headlines are filled with one embarrassing breach after another that results in lost business, fines from the government, and irreparable damage to the value of corporate brand.
And yet this week Intel and The Aspen Institute published a study based on a survey of 625 IT managers conducted by Vanson Bourne that finds only 27 percent of them said their organizations were very or extremely vulnerable to a security attack, which is down from 50 percent three years ago. The study also finds that only eight percent of respondents feel extremely vulnerable today, down from 12 percent who felt that way three years ago.
Satisfied but insecure
The survey also finds that four in five are satisfied or extremely satisfied with the performance of their own security tools, such as endpoint protection (84 percent), network firewalls (84 percent), and secure web gateways (85 percent). At the same time, more than 70 percent recognize that the cybersecurity threat level in their organization is escalating. Around nine in ten (89 percent) of respondents experienced at least one attack on a system within their organization, which they deemed secure, over the past three years, with a median of close to 20 attacks per year. Naturally, that’s just the security attacks they know about.
IT security professionals themselves are far less sanguine amount their prospects for success. A survey of 460 security professionals that attend the Black Hat security conference found that even though 73 percent of respondents think it is likely their organizations will have to deal with a major data breach in the year ahead, the majority of them believe that they do not have enough budget, staff, and training to handle the load.
IT budget priorities
Those results may explain why the results of a separate IT security survey conducted by The Ponemon Group on behalf of Dell SecureWorks found that only 8.2 percent of the IT budget is allocated to IT security. Worse yet, only 19 percent of the IT security budget is allocated to managed or outsourced security services, the study finds.
From an MSSP perspective none of those results are particularly encouraging. While demand for managed security services has never been higher, the size of the overall market remains constrained by both a false of sense of the security expertise of the internal IT organization along with an apparent unwillingness of the senior leadership of most organizations to increase the size of the IT security budget itself. Clearly, daily reports of security breaches are being chalked up to the fact that somebody screwed up at an individual company rather than a general recognition that most organizations are both already compromised and seriously outgunned when it comes the technology expertise that cyber criminals have at their disposal.
Ed Metcalf, director of product and solutions marketing at Intel Security, said that as part of a “chip to the cloud” strategy Intel is investing heavily in education efforts designed to raise the overall awareness of IT security issues. The challenge, said Metcalfe, is that IT security as we know it today is a “game of cat and mouse” that even most IT professionals don’t appreciate in terms of the true scope of threat and the complexity of the challenges involved.
Perhaps that single IT security event needed to truly galvanize business and IT professionals alike has simply yet to happen. The Intel survey finds that 48 percent of respondents believe it is likely that a cyberattack that will take down critical infrastructure with potential loss of life occurring within the next three years. Unfortunately, not many appear willing to recognize what more needs to be done today to prevent that potential tragedy from actually occurring tomorrow.