More than 90% of information security professionals have discussed large-scale, high-profile data breaches like RSA, Citigroup, and Sony with senior management, but only 23% have done anything beyond that, according to a survey of information security professionals who attended the 2011 Gartner Security and Risk Management Summit in June.
“I think it is human nature: ‘Do as I say, not as I do’”, said Ron Gula, chief executive officer and chief technology officer at Tenable Network Security. “I think part of the reason is that the policies security people have to put out are so generic that they know when getting around those policies is the practical thing to do”, Gula told Infosecurity.
Around 46% of information security professionals surveyed said they had experienced some form of insider threat, but “preventing insider threats” was ranked the second-lowest information security priority for the next six to eight months by survey participants.
“People are concerned about insiders, but they are not doing anything about it, even in the face of high-profile breaches”, Gula said. “Who are these insiders? They are not anonymous working on the inside. They are not foreign intelligence people coming after our data….They are employees who are abusing the policies. If you are a large organization, there are going to be bad apples, you have to have controls in place”, he added.
Attendees at the Gartner event named mobile device security as their top information security priority for the second half of 2011.
“Mobile devices are so convenient. They are really a new way to work with the data. But they are very difficult to fit into traditional IT controls…When you put traditional controls into an iPad environment, you lose the visibility you had with the desktop, you lose visibility into what applications are on that system, you lose a lot of things”, Gula observed.
Yet, executives want to be able to use their smartphones and iPads in the corporate environment. This is something that really concerns information security professionals, he added.
Mobile security was closely followed by “neutralizing advanced persistent threats” and “staying ahead of zero-day attacks.” Nearly 85% of attendees considered advanced persistent threats as a real concern, but only 28% pegged it as one of their top concerns for their business.
“While it’s encouraging to see that the advanced persistent threat is front of mind for the majority of security professionals, it’s critically important for organizations to cut through the hype and understand the profile for these types of attacks, account for what’s at stake, and develop a strategy for protecting their most valuable digital and physical assets”, Gula said in announcing the survey results.