The survey, conducted by Unisphere Research and sponsored by Application Security Inc., queried more than 750 members of the Professional Association for SQL Server (PASS). Responsible for large swaths of organizational information -- 66 percent of them are entrusted with managing 100 to 500 database instances -- these data managers mostly consider themselves responsible for protecting the data they manage. And yet at the same time, they lack a grasp of the overall security objectives, budget details, and strategies across the entire organization.
"The key takeaway from this report is that, in essence, there is a disconnect between what data managers know needs to be done at the technical level, versus the amount of support and awareness the executives on the business side give," says Joe McKendrick, analyst for Unisphere, architect of the survey, and author of the report detailing its results. "A lot of these people could not tell us what's going on across the organization in information security. What's happening is they're taking good care of their particular domains: Their production databases, for example, are well-locked down. But they don't have a sense of what's going across the organization, and management isn't open to the sharing of information across the organization."
For example, even though three-quarters of respondents said the DBAs are responsible for security, a full 40 percent of them couldn't even tell surveyors the state of their security budget growth during the past year. And 57 percent had no clue how much security breaches cost their organizations in the past year.
Of even more concern is the fact that many basic database security practices are falling through the cracks. Nearly a third of organizations experienced audit noncompliance issues due to access control problems, another 18 percent from configuration issues, and an additional 16 percent due to default ID and password combos.
"I saw default passwords and user IDs as a problem, and I'm thinking, 'That's a problem that's been around since the '60s. Why are we still doing this?'" says John Klemens, technical director for information assurance solutions for Telos, which works on database security and other security projects for Department of Defense agencies. "Why haven't we figured that out yet?"
Klemens believes security personnel needs to do a better job interfacing with the DBAs to set expectations and to give them the knowledge and tools necessary to get these issues under control.
"I think it's kind of the same way it was a few years ago with systems administrators with boxes. The DBA's job is to make the database available, make sure things work -- that's their primary responsibility and security normally is someone else's job," he says. "What I see is that the DBAs are willing to do security, but a lot of times they don't have the knowledge to do it. And, ultimately, they're not responsible for setting policies."
McKendrick agrees. "It's really important to have those lines of communication open," he says.
The full report is available here (PDF) for download.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.