IT security pros prioritise new tech over training

News by Doug Drinkwater

New research from IT security vendor Websense and Ponemon Institute indicates that security professionals want their companies to invest in new technology, but are doing little to 'upskill' existing staff.

In their ‘Roadblocks, Refresh & Raising the Human security IQ' study, the two companies surveyed nearly 5,000 security professionals across the globe with at least 10 years' experience each and discovered a whole host of topical issues, from limited cyber security knowledge among the C-suite to concerns around current security systems.

“This Ponemon Institute security survey highlights that a lack of communication, education and inadequate security systems is making it possible for cyber-criminals to attack organisations across the globe,” said Websense CEO John McCormack in a statement to the press.

“It's not surprising that many security professionals are disappointed with the level of protection their current solutions provide, as many still use legacy solutions that cannot disrupt the kill chain to prevent data theft.”

Of the findings, arguably the most poignant was that nearly one in three (29 percent) IT professionals would completely overhaul their current enterprise security system given the resources and opportunity, while only 38 percent believed that their firm was investing enough in skilled personnel and technologies.

Almost half of all respondents (47 percent) said that they were ‘frequently disappointed' with the level of protection offered by a security solution that they had procured and only 12 percent said that they had never been disappointed in their chosen security solutions.

One in two (56 percent) of respondents believed that a data breach would trigger a change of security vendors, but on a more encouraging note – 49 percent said that they were planning to make ‘significant' investments and adjustments to cyber security defences over the next year.

“Advanced persistent threats and data exfiltration attacks rank as the top fears for IT security professionals,” said Dr Larry Ponemon, chairman and founder of the Ponemon Institute. “These fears manifest because they believe their technology is in need of an overhaul and there is a widening gap in the knowledge and resource sharing among IT security professionals and executive staff.”

Falling down on boardroom support, security training

The report also highlighted the continuing concerns around security training awareness and a lack of boardroom support, issues that were raised in a separate study of some of the UK's top chief information security officers (CISOs) last week.

On the lack of C-level awareness, 31 percent of cyber security teams said that they never spoke with their executive team about cyber security, with a further 23 percent and 19 percent saying that they did so only on an annual and bi-annual basis respectively. Just over one in ten (11 percent) spoke to the boardroom about such matters on a quarterly basis, and one percent spoke to them weekly.

Neil Thacker, information security and strategy officer for Websense EMEA, told that too many CISOs and other senior IT members talk about threats and targeted attacks, rather than the solutions required by specific department members.

“You see the Blackberries going up,” said Thacker on when CISOs talk generally on targeted attacks to the boardroom.

According to the study, security pros feel the top three events that would compel executive teams to allocate more money to cyber security initiates would be exfiltration of intellectual property (67 percent), a data breach involving customer data (53 percent) and loss of revenues because of system downtime (49 percent).

Security awareness is also an issue as more than half of companies do not provide cyber security education to employees currently. Just four percent plan to do so in the next 12 months.

The issue, according to both Thacker and former CISO Amar Singh, is that too many of these programmes are run on an annual basis as a ‘tick box exercise' and that most people will forget information very quickly.

Citing an old study, Thacker said: “…People forget 50 percent of information in five minutes – that's the issue with running awareness campaigns but that's humans for you.”

“We've got to get better at running real-time education. It's really powerful. Make it specific to the employee and drip it to them – you don't want to make it like a project,” he added.

“It's a tick box exercise and it's exactly what I am seeing every day,” added Singh, who is chair of ISACA UK's security task force. “I think not enough companies are investing in their existing people – they're always looking to the outside instead of upskilling.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews