Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

New Threats Necessitate Shift Toward Security Architecture, Risk Management

Ad hoc security solutions are no longer enough, Ernst & Young study says

It's time for security organizations to step back and look at the bigger picture, according to a new report published today.

A new threat environment -- and continuing breaches in the enterprise -- are combining to overwhelm the mix of single-function security systems and applications that most organizations currently rely on, according to Ernst & Young’s Global Information Security Survey 2012 report. The report is based on responses from more than 1,850 CIOs, CISOs, and other information security executives in 64 countries. "Organizations are implementing incremental improvements to their information security capabilities to provide short-term solutions — without tackling the issues associated with the overall information security threat," the report states.

According to Ernst & Young, 31 percent of organizations have experienced a higher number of security incidents in the past two years than they did in years prior. "The need to develop a robust security architecture framework has never been greater," the report says. However, 63 percent of organizations have no such framework in place, and only 16 percent of respondents report that their information security function fully meets the needs of the organization.

More than three-quarters (77 percent) of respondents agreed that there is an increasing risk from external attacks, and 46 percent reported that internal vulnerabilities are also on the rise.

Fifty-one percent of organizations reported plans to increase their budget by more than 5 percent in the next 12 months, the study says. The top investment priorities are securing new technologies (55 percent) and business continuity (47 percent). Sixty-three percent of respondents indicated that their organizations have placed the responsibility for information security in the hands of the IT department, the study states. "However, as information security begins to spread beyond traditional IT issues, decisions are now needed around selecting the right tools, processes and methods for monitoring threats, gauging performance and identifying coverage gaps, and a reappraisal of responsibilities is required," it says.

Chief risk officers are currently responsible for information security in only 5 percent of organizations, according to Ernst & Young. "Many organizations lack the formal risk assessment mechanism provided by the risk function, resulting in 52 percent of organizations having no threat intelligence program in place.

"The proliferation of threats — and the acceleration of the gap between vulnerability and security — requires multiple sources of assessment, such as internal audit, internal self assessments and third-party assessments, to monitor and evaluate security incidents," the report states.

"These bolt-on or stack work-around solutions being seen today — which fix short-term information security needs — are masking a bigger problem around vulnerability," Ernst & Young says. Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29446
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29451
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
CVE-2021-29452
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
CVE-2021-29444
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...