Vulnerabilities / Threats
3/16/2016
07:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Half Of IT Departments Lack Confidence In Their Security Solutions

IT, C-level executives view their organizations' security differently, new report finds.

Information security spending budgets have increased, but that doesn't mean organizations are confident in their security posture. 

A newly published report from endpoint security company Barkly shows 50% of IT professionals say they aren't confident in their current security products or solutions. Jack Danahy, co-founder and CTO for Barkly, found it startling that such a large number of respondents in the survey don’t trust their security solutions. “Around half of the people we talked to don’t have confidence in the choices that they’ve already made,” says Danahy.

The report also shows that IT departments tend to feel less secure than executives do about their security solutions, he points out. One explanation for the confidence discrepancy between IT management and executives can perhaps be due to different priorities between the groups.

“IT pros, they’re tending to wrestle individual topics,” Danahy says, and knowing all of the pieces and vulnerabilities and having a granular view of security makes them less confident.

C-level employees, on the other hand, are assessing security from a different angle: They’re looking at their teams and thinking, “'I have confidence in the team to make sure we are secure enough,'" he says.

Opening the lines of communication can help IT and executives get on the same page in terms of security confidence, Danahy says. “We bring in third parties to make sure we’re doing things right,” Danahy says of his own organization. He and his colleagues regularly talk about the implications of their decisions beforehand, too.

Getting the C-suite and IT to feel equally confident about security also comes down to working toward a common language, Danahy says. “The language is different when one feels like they’re solving different business problems,” Danahy says, adding that security needs to feel like they’re helping enable the business and executives need to recognize that security helps them do business more effectively. 

Jeff Pollard, principal analyst for security and risk at Forrester echoed a similar strategy for getting IT and the C-suite on the same page when it comes to security solution confidence. “I think that the first thing is security leaders need to be able to understand how they can contribute to the businesses goals of obtaining revenue,” Pollard says. “They need to measure themselves by how they win, serve, and maintain customers.”

IT pros also see some security solutions as dragging down business operations: some 41% say their security solution slows down their systems, while more than one-third say the tools require too many updates. One-third say they don't know if their company had experienced a breach in the past year.

Meanwhile, the report shows that a majority of the respondents are only “somewhat” or “not at all” confident in their company’s ability to measure security return on investment (ROI). Forrester's Pollard suggests that IT has been getting a raw deal when it comes to ROI and needs to reorient the way they measure success. It should be “shifting away from metrics that are focused on complaints, like systems that are out of compliance, and instead thinking about how they can enable technologies and customers," he says.

The main reason for the ROI gap in security: "We’re measuring our success often by the mistake the adversary made, not by our ability to actually detect it," he says.

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HPERPER
50%
50%
HPERPER,
User Rank: Apprentice
3/18/2016 | 11:38:44 AM
Security Solutions
The NCCoE (nccoe.nist.gov) is providing reference architectures to assist in the adoption of standards based secure solutions.  Check the projects we have completed, contact us and get involved. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.