Companies employ security professionals to defend their networks. They are pitted against equally professional and particularly talented attackers using 0-day weapons the defenders have never seen before. Judging by the number of breaches occurring almost daily, the attackers appear to be in the ascendant. Now a new report seeks to uncover the pressures affecting our defenders in their daily work.
Trustwave has published the results of the first of what it intends to be a new annual survey: the 2014 Security Pressures Report. Using an independent research company it surveyed 833 IT security decision makers to understand the pressures they live with in making their security decisions. The results confirm what many have suspected: business pressure prevents security solutions.
The pressure to improve security is increasing because the perceived threats are growing. Half of the respondents say that this pressure comes from their superiors within the company, but 13% say it is coming from themselves.
The most worrying concern is over targeted attacks, with 64% saying it has increased over the last year. This is followed by worries over the theft of customer data. External threats are more worrying than insider threats; but where insiders are involved the worry is more over naivety than malfeasance.
However, it is noticeable that much of the pressure that IT professionals live with comes from their own companies. Particularly concerning is that around 80% of IT security professionals feel pressured to roll out new projects despite concerns that they are not security-ready. Even more (85%) suggest that an increased security head-count would make their security function more efficient; perhaps contributing to concern over pressure to implement the latest security technologies without necessarily having the resources to do so effectively.
Unsurprisingly, the top three items on the professionals' wish list to solve all of these problems are more money, more security staff, and more time to focus on the issues. These are unlikely. Most companies are facing budgetary restraints; a worldwide security skills shortage is well-documented; and competitive business pressures will always require that new projects and products are delivered as quickly as possible.
It is perhaps an underlying acceptance of this reality that is making these professionals consider an alternative solution. At the moment, 3 out of 4 IT teams run security in-house; but a total of 82% use or are looking to use managed security services to relieve the pressure. This is indeed, one of the conclusions of the report: augment in-house security expertise.
"Since security has become a more time-consuming, skills-specific and daunting task for many in-house IT teams, more businesses are augmenting their staff by partnering with an outside team of security experts that help ensure more effective security tools are installed and running properly to prevent a data compromise... This can allow IT pros to focus on their primary jobs of IT projects that enable the business and generate revenue for their employers."