Is it time to re-Think Enterprise IT Security?

Top-level IT security pros believe there’s a significant, unaddressed gap between enterprise security priorities and the serious threats that keep them awake at night.

Top-level IT security pros believe there’s a significant, unaddressed gap between enterprise security priorities and the serious threats that keep them awake at night.

According to the Black Hat USA 2015 attendee survey, 73% of enterprise security professionals believe their organization will suffer a major data breach over the next 12 months.

At a time when Gartner says enterprises have never spent more on security – more than $76 billion in 2015 – major breaches, from Target to Anthem and OPM, show no sign of abating.

Where are we going wrong?

According to the security pros at Black Hat, it’s all about priorities. Only 27% of security professionals feel capable of addressing a breach – because they’re too busy dealing with vulnerabilities introduced by internally developed and off-the-shelf software. While these threats are important to 35%, 57% view sophisticated targeted attacks as their biggest concern – an area that features in the top three spending categories of only 26% of businesses.

The second greatest concern – phishing and social engineering – receive only 22% of the security budget.

In a nutshell

The security tasks that consume the greatest amount of time and money in the enterprise aren’t always the ones that are considered the greatest threats. There’s a gap between budgets and the latest threats, and it’s difficult to bridge the divide between spending and current concerns.

It’s not the only gap: Security professionals’ perception of the threat posed by malicious insiders is lower than that of non-IT management. Only 44% of security staff believed that management rated targeted attacks as seriously as they do; that drops to 29% for social engineering. Key threats, it seems, are being overlooked as a gap grows between mainstream concerns and those of security professionals.

When it comes to defense strategies, it’s interesting to note that security professionals are worried about flaws in their own approach – one-fifth of them cite a “lack of security architecture and planning that goes beyond firefighting” as their weakest link. There’s a belief that single-purpose technologies or solutions are leaving way too many chinks in the armor.

Missed opportunities?

Despite the gap, it’s interesting to see that 81% of security experts believe non-IT-management ‘get’ security and the need for it. The belief that they have the support of management is widespread.

Maybe what’s missing is a little more communication and a conversation that frames the threats more clearly. Kaspersky Lab’s long track record in threat intelligence, making some of the highest profile, most relevant threat discoveries means it’s uniquely placed to facilitate this conversation.

Our understanding of the inner workings of some of the world’s most sophisticated attacks – coupled with our ability to detect and monitor them – not only gives security professionals the kind of insight they need into the latest, most relevant threats, but provides the strategic insight needed to represent these security risks at board level, aligning them directly with business impacts.

That should help differentiate between the mainstream and the critical in an environment where 91% of business users grossly underestimate threat volumes.1

Bend, don’t break

This survey also highlights the need for a little more business understanding of how automating or streamlining time-consuming tasks like application vulnerability management could deliver a more effective overall security strategy aligned with the knowledge and understanding of the security experts.

Kaspersky Lab’s multi-layered platform combines industry-leading security technologies and threat intelligence capabilities with fully integrated systems management features such as vulnerability assessment and patch management. By enabling the automation of critical-yet-time-consuming security functions, Kaspersky Lab helps security professionals dedicate more of their time to addressing current and emerging issues – like the targeted threats that occupy so much of their minds, but so little of their working day.

Real world security, in real-time

It’s obvious that security has got the board’s attention. There’s never been a better time for IT security professionals to make their mark on the business. Wouldn’t it be nice if your security solution not only responded to the needs of the CISO, but aligned with the business too?

Maybe all that’s needed is a little re-thinking. And a lot more communication.

Learn more about Kaspersky Systems Management here.

1 Kaspersky Lab Global IT Security Risk Survey 2014