A survey of 300 UK IT directors and managers by Cyber Security EXPO found that more than a third (37 per cent) were most concerned about a shortage of security technology, compared to nine per cent who cited lack of budget as the most significant challenge. Almost a quarter (23 per cent) claimed the biggest challenge was the shortage of well-qualified people.
Asked if it was a surprise that professionals were bemoaning a lack of people rather than technology, Brian Honan, CEO of BH Consulting told IT Security Guru that this was no big surprise as many organisations are struggling to maintain and keep their existing technology solutions updated and effective against security threats.
He said: “The main cause behind this is lack of skilled personnel to ensure this work happens. Technology by itself will not secure a company. Experienced and skilled staff is what is required, not just to manage existing technology but to select appropriate new technologies to augment the organisation’s security.”
David Gibson, vice president of Varonis, said: “This isn’t surprising because many times you need people to operate the technology. Most great security products augment human intelligence; they don’t replace it.
“Technology can alert you to dangerous behaviour or help you prioritise your risks, but ultimately humans are responsible for deciding which security policies to put in place and when and where to take action.”
David Howorth, EMEA vice president at Alert Logic, said that it was surprising that it the impact of security spend was not higher, as threats are coming from all angles and companies are spending on security technologies to attempt to prevent and/or remediate those threats.
“But, they are not spending the money on increasing the IT team, who are now expected to keep companies secure and be a jack of all trades, and master of none,” he said.
“If you look at high profile breaches such as the Target breach in the US, they had the technology they needed to protect against that breach, they just didn’t have the IT people to be able to sift through millions of events and incidents, correlate the information with other threat intelligence resources and escalate the top items for immediate remediation. If they had more people, they could have had a higher chance of dealing with the potential breach. That is why a lot of companies are looking to security delivered as a managed service: you get the technology and the expertise and the people.”
The survey also found that 91 per cent of respondents are satisfied with the budget they have. Honan said that if the question had been “what’s the most significant challenge?”, then budget may be a challenge, but there are other more significant ones that organisations face, such as lack of skilled staff, ensuring effective security awareness training for staff, effective monitoring, etc.
Howorth said: “Do I think that 91 per cent are happy with the budget they have? Yes and No. ‘Lack of budget’ is an easy cop-out for why systems are not secured. According to Gartner, 80 per cent of security breaches could be prevented by security best practices that are in the control of the IT team, such as basics like patching, implementing two-factor authentication for administrator access, continuous monitoring and analytics etc.
“Budget is not the main issue: it is the skills and resources and bandwidth to be able to be proactive in IT and not just reactive.”
n
The survey also found that 18 per cent of respondents block the use of USB sticks, while 55 per cent would immediately ban the use of USBs.
Gibson said: “A USB stick is one of many ways data can escape. Data can escape via an email, FTP, printers, a lost laptop, or even in a picture of a computer screen taken by a phone. Before focusing on blocking all the escape routes, companies should really prioritise restricting employee access to only the information they need to do their jobs.
“Most employees have access to far more data than they need, and once they have access it’s very difficult to “put the horse back in the barn.” Once access is restricted, it’s important to monitor and analyse access activity and alert on any abuse.”
Scott Gordon, CMO of ForeScout, said that if you look at data loss and compliance issues for personally identifiable information leaving the organisation, and also look at how USBs sticks have evolved to store more data wirelessly, it is a true threat.
“Companies need to look at the safeguards deployed on intrusion that range from Digital Rights Management to data loss prevention to encryption, and network access control technology,” he said. “We see bans in Government, insurance, financial services, pharmaceuticals. There is no one control for this by itself.”
Looking at the survey data overall, Steve Durbin, managing director of the Information Security Forum, told IT Security Guru that these findings reinforces something that it had been saying for some time now, that the lack of skills is a very real threat.
He said: “We highlighted it in our Threat Horizon 2015 report, the skills shortage is not getting better. If anything, the clamour for cyber skills it is getting worse.
“We’re seeing this reflected in all parts of the world. People have always been the weakest link and whilst we are continuing to see advances in technology, from a security standpoint we are nowhere near the stage where we can do without the cyber savvy expert to both interpret findings and more importantly, align the use of technology with the emerging business needs that we see developing.
“Are 91 per cent happy with the budget they receive? I’d be surprised! I think they have other things getting in the way and frankly, the business astute CIO knows that budget can be made available if (s)he can make the case linking IT and security spend with strategic business intent and demonstrate a solid return on investment.”
TK Keanini, CTO of Lancope, said: “My advice is to look at the larger picture and if you are not going to employ experts on your staff, make sure you still have access to them via partners or connections.”
Cyber Security EXPO will be held next week, 8th and 9th October at London’s Excel centre.
