Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Poor Priorities, Lack Of Resources Put Enterprises At Risk, Security Pros Say

In Black Hat survey, security professionals say misplaced enterprise priorities often leave them without the time and budget they need to address the most critical threats.

IT security professionals are becoming increasingly frustrated because the priorities of the business frequently leave the security department short of the time and resources it needs to fight the most critical threats, according to a new study released today.

According to the 2015 Black Hat Attendee Survey, nearly three quarters (73 percent) of top security professionals think it likely that their organizations will be hit with a major data breach in the next 12 months -- but they won't have enough time, money, or skilled staff to handle the crisis.

The survey polled some 460 infosec professionals, 61 percent of whom carry "security" as a full-time job title, and two thirds of whom carry a CISSP or other professional security credentials. 

"I am continuously frustrated by the amount of time, money, and angst I spend on compliance and certifying our security posture," said one survey respondent. "I often feel that security actually suffers because these tasks pull time and attention away from ensuring systems are secure and non-compromised."

In the study, the vast majority of security professionals – 57 percent -- cited sophisticated, targeted attacks as their greatest concern. Yet, only 26 percent of respondents indicated that targeted attacks were among the top three IT security spending priorities in their organization, and only 20 percent of respondents said that targeted attacks were among the top three tasks where they spend the most time.

More than a third of the Black Hat survey respondents say that their time is consumed by addressing vulnerabilities in internally-developed software (35 percent) or in off-the-shelf software (33 percent). Meanwhile, their budgets are often consumed by compliance issues (25 percent) or sealing accidental leaks (26 percent), leaving them short of resources to fight the real threats.

"Many times, senior leadership is trying to compile data on complex security tasks to report up the chain to someone who is compiling and rolling up data even further -- at which point the relevance of the reported data is completely useless," said one respondent. "Yet, I am required to spend vast amounts of resources dedicated to the collection of meaningless data."

While compliance and software vulnerabilities require a disproportionate amount of budget and time, many security professionals feel that media and public perception cause attention to be deflected from the most critical issues in IT security.

"Close to half (41 percent) of respondents believe that the media has overplayed the issue of domestic government surveillance, and more than a quarter (27 percent) say the media focuses too heavily on hacktivists and politically-motivated attackers," the Black Hat report says. Among management, security professionals perceive a high rate of concern (29 percent) over malicious insiders, which was a top concern for only 17 percent of security professionals.

"Similarly, many Black Hat attendees feel that key threats are being overlooked," the report continues. "Twenty-six percent of respondents say that phishing and social engineering do not get enough attention in the media and at industry events. Accidental data leaks by end users and new vulnerabilities introduced by off-the-shelf software are also areas that are do not receive adequate attention," Black Hat attendees said.

"I am infinitely frustrated that my efforts are not put towards more productive endeavors," said one respondent. "Security budgets are under intense scrutiny with the headlines, but these budgets will fade as quickly as the headlines. Reprioritization is a must for any organization."

Nearly a third (31 percent) of Black Hat attendees cited end users as the weakest leak in the security chain. "The biggest roadblock I have is a lack of cultural importance on security," said one survey respondent. "Trying to convince people to take extra steps -- better password management, regular patching, security audits, etc. -- is nearly impossible when the company doesn't feel those steps are important."

Source: Black Hat Survey
Source: Black Hat Survey

Other Black Hat attendees agreed. "We have programs in place to educate the employees, but high turnover and general apathy are a constant problem," said one.

But one fifth of respondents (20 percent) said a heavy focus on single-purpose solutions and technologies is creating a growing roadblock to the development of a comprehensive security architecture. These respondents cited "a lack of security architecture and planning that goes beyond firefighting" as their weakest link.

"A good deal of budget needs to be created for actual architectural work to ensure the foundation of the IT solutions that we provide to our customers is secure -- and that the design of these solutions implements sound security principals," one respondent said.

While Black Hat attendees differed in their views on the weakest links in the security chain, most agreed that they do not have enough resources to defend the organization. "Only 27 percent of respondents said they feel their organization has enough staff to defend itself against current threats; nearly a quarter (22 percent) described their security departments as being 'completely underwater,'" the report says. "Similarly, only one third (34 percent) of security pros said their organization has enough budget to defend itself against current threats; 21 percent said they are 'severely hampered' in their defenses by a lack of funding."

One survey respondent put it even more bluntly: "I feel like I am living below the poverty line," he said. "My house has dozens of holes, and I have to choose between feeding myself or spending money on fixing the holes."

Enterprises and their security organizations must rethink their priorities and their allocation of resources to match the current threat, the 2015 Black Hat Attendee Survey states.

"The central message that comes across in all of these questions is that while sophisticated security professionals are increasingly convinced that a major breach is inevitable, most of those security pros do not feel they have the resources and training they need to defend their organizations. The combination of these responses should ring warning bells to the industry that security defense strategies and resources need serious rethinking, and that the people who walk the walls and guard the doors are not confident in their ability to keep online adversaries out of enterprise systems and data."

[Register now for Black Hat USA.]

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.