“In 2011, it’s pretty shocking to hear that 41% of organizations admit that they are not really in great shape from a security perspective”, said Martin Ward, senior director of risk and compliance at McAfee. “I was impressed that many people were willing to admit to this”, he told Infosecurity.
The report, Risk and Compliance Outlook: 2011, was commissioned by McAfee and conducted by Evalueserve, which surveyed 353 IT professionals, consultants and security analysts from companies with more than 500 employees in eight countries.
Nearly half of all companies plan to spend an average of 21% more on integrated risk and compliance products, the survey found.
“Risk and compliance is the physician of security. It does the diagnosis of what is going on in your environment. Then we can prescribe the medicine that you need, the medicine being network security or email and Web security. You can save a lot of money if you take that kind of approach rather than guessing where your problems are”, Ward said.
In addition, 56% of organizations are interesting in adding “countermeasure awareness” to their risk management. Countermeasures include anti-virus software, server whitelisting, and network intrusion prevention.
“More than half of organizations are saying that when they calculate risk, they are just looking at threats and vulnerabilities. They are looking at what could go wrong. They are not looking at what is already available to protect them”, Ward said.
Almost half of organizations said that they try to “overprotect” their systems by patching everything, and 45% said they are patching systems every week.
“For instance, if you have 4,000 servers, rather than looking at the countermeasures you have in place and saying, I only need to patch 12, these companies are patching all 4,000. It’s a tremendous waste of time and effort”, Ward observed.
Half of organizations said they had to comply with more than 10 information security-related regulations worldwide. Also, 75% of organizations are not confident that they could pass a regulatory audit of their information security systems.
More than half of organizations surveyed said they had failed an audit. Close to a quarter said that they were spending more than $250,000 annually on auditors to satisfy these regulations.
Ward noted that many companies come to McAfee and want help meeting information security requirements for a particular regulation.
“The reality is that half of these companies have more than 10 regulations to deal with, and 20% have more than 50 regulations to day with. So the real way to address these things is to automate all the IT controls…because 80% of IT controls are consistent across all regulations”, he said.