Information security spending budgets have increased, but that doesn't mean organizations are confident in their security posture.
A newly published report from endpoint security company Barkly shows 50% of IT professionals say they aren't confident in their current security products or solutions. Jack Danahy, co-founder and CTO for Barkly, found it startling that such a large number of respondents in the survey don’t trust their security solutions. “Around half of the people we talked to don’t have confidence in the choices that they’ve already made,” says Danahy.
The report also shows that IT departments tend to feel less secure than executives do about their security solutions, he points out. One explanation for the confidence discrepancy between IT management and executives can perhaps be due to different priorities between the groups.
“IT pros, they’re tending to wrestle individual topics,” Danahy says, and knowing all of the pieces and vulnerabilities and having a granular view of security makes them less confident.
C-level employees, on the other hand, are assessing security from a different angle: They’re looking at their teams and thinking, “'I have confidence in the team to make sure we are secure enough,'" he says.
Opening the lines of communication can help IT and executives get on the same page in terms of security confidence, Danahy says. “We bring in third parties to make sure we’re doing things right,” Danahy says of his own organization. He and his colleagues regularly talk about the implications of their decisions beforehand, too.
Getting the C-suite and IT to feel equally confident about security also comes down to working toward a common language, Danahy says. “The language is different when one feels like they’re solving different business problems,” Danahy says, adding that security needs to feel like they’re helping enable the business and executives need to recognize that security helps them do business more effectively.
Jeff Pollard, principal analyst for security and risk at Forrester echoed a similar strategy for getting IT and the C-suite on the same page when it comes to security solution confidence. “I think that the first thing is security leaders need to be able to understand how they can contribute to the businesses goals of obtaining revenue,” Pollard says. “They need to measure themselves by how they win, serve, and maintain customers.”
IT pros also see some security solutions as dragging down business operations: some 41% say their security solution slows down their systems, while more than one-third say the tools require too many updates. One-third say they don't know if their company had experienced a breach in the past year.
Meanwhile, the report shows that a majority of the respondents are only “somewhat” or “not at all” confident in their company’s ability to measure security return on investment (ROI). Forrester's Pollard suggests that IT has been getting a raw deal when it comes to ROI and needs to reorient the way they measure success. It should be “shifting away from metrics that are focused on complaints, like systems that are out of compliance, and instead thinking about how they can enable technologies and customers," he says.
The main reason for the ROI gap in security: "We’re measuring our success often by the mistake the adversary made, not by our ability to actually detect it," he says.