A majority of respondents to the survey of more than 200 IT professionals admit they lack the ability to manage security in virtualized and cloud environments and to monitor and secure consumer devices, such as smart phones and tablets.
Close to eight in ten respondents have experienced the following in the past two years: malware (76%), lost or stolen equipment (75%), external data theft (74%), and insider data theft (72%).
Survey respondents cited the following as their most difficult challenges: lack of time to monitor vast amounts of data (64%), inability to manage security in the cloud (55%), and inability to manage security in virtualized environments (54%).
“Although half of the IT budget is devoted to security, security appears to be broken for many organizations”, said Brennan O’Hara, solution marketing manager at NetIQ.
The survey found that IT security budgets continue to grow, despite the continuing poor performance on data security. Around 77% of respondents indicated IT security budgets are higher this year compared to last; on average, 59% of enterprise IT budget is allocated toward security.
O’Hara said the lack of time to monitor data is a key contributor to the continuing security problems at these organizations. “What we found was that IT security staffs in general are greatly under-resourced. So, although the enterprise may have solutions in place to log all these security events…unfortunately with lack of staff and resources, there is an inability to sift through all that data….Folks seem unable to properly analyze and correlate the data in order to prevent the data breaches that are happening”, he told Infosecurity.
Survey respondents cited the following as weaknesses of current security solutions: handling consumer devices (such as smart phones), short life span of current solutions, handling the disappearance of the traditional firewalls, and difficulty in deploying solutions.
“Users are going outside of security policy and conducting business with customers or partners in a way that is not visible to IT, ultimately leaving IT with the inability to track and monitor that access….That greatly exposes organizations to data theft of some kind”, he said.
O’Hara identified some technologies that should be implemented as part of an enterprise's security foundation, such as log management and access management tools; password management; and identity management tools, particularly for cloud and virtual environments.
Policies and procedures also need to be put in place to secure data. “Security really must be part of the user’s culture and should be part of the DNA of the enterprise”, O’Hara concluded.