This month's SC Survey reveals that an alarmingly high proportion of information security professionals lack the tools and systems needed to alert upper management to the risk of attack and potential damage.
Our latest survey goes a little back to basics in this issue of SC. In an age when IT security managers are bombarded with fancy talk about consumerisation, virtualisation and cloud and the rest, it's worth remembering that many professionals still sweat the small stuff when it comes to network and enterprise architecture security.
We also talk a lot about security becoming a business issue (and it must, of course) and the importance of keeping the board and senior management in the loop, but our survey gives a mixed picture of what is actually happening on the ground.
Just under half of our respondents were only “somewhat confident” that they had the tools and systems to give upper management an accurate assessment of the risk of attack, and, more crucially, an estimate of potential damage. A worrying 30 per cent were either “unsure” or “not confident at all”. Not a great picture and it begs the question: is an opportunity for vendors and the industry at large being missed? Information is key and security professionals need better, more efficient ways of getting status reports to those who matter.
These results are compounded by the conundrum: What security management processes are the most time-consuming? Yep, you got it – “generating reports for management and auditors”, cited by some 64 per cent of our respondents. Given the time-consuming nature of their actual security-related tasks also revealed, it's not hard to start fully forming a picture of an overworked, stressed network security manager deprived of the tools needed to make the job easier. And network security is pretty much fundamental to achieving a secure enterprise. If you can't keep the arteries clear of malware and free from attack then something is very much amiss. Which explains why the majority of our respondents deploy vulnerability analysis, IPS and risk-analysis systems for the all-important task of monitoring network security.
However, further down the list are such leading-edge items as SIEM and network compliance management. This is revealing in that, while conference speakers, vendors and indeed articles in SC discuss such advances, it seems that out at the coal face, security mangers are occupied with more fundamental matters and using proven tools to deal with them. Yet as discussed earlier, such tools might help them deal with the business and administration aspects of network security.
When it comes to one of those fundamentals – patching – the survey results are perhaps disappointing in terms of what we might want to believe as an industry, but nonetheless probably show the pressures that network managers are under. It reveals that fewer than 30 per cent mange to patch high-priority vulnerabilities within 24 hours, while around half take up to seven days. So again, what can the industry do to help improve these important response times – including response times to the most worrying threats: new attacks discovered in the wild?
The SC/Skybox Security survey ran during September 2011 and analysed the responses of 268 IT security professionals.