Report: IT, Security Departments Not Seeing Eye To Eye On Threats To The Business

While 92 percent of security professionals in new Ponemon-Lumension study
A new report underscores a major disconnect between IT and security groups when it comes to what most threatens their organizations.

The Ponemon Institute's 2008 Security Mega Trends Survey, which was commissioned by Lumension, reveals just how far apart IT departments and security groups are when it comes to what they perceive as the biggest threats to their data today and in the next 12 to 24 months. While outsourcing risks are at the top of IT managers' worries, data breaches and cybercrime are the biggest worries for security.

More specifically, half of the IT managers said that outsourcing was a high or very high security risk to their organizations today and in the next one to two years; 44 percent also pointed to data breaches as a comparable risk today, while 40 percent expect them to be so in the next one to two years. Security professionals, meanwhile, ranked data breaches and cybercrime higher: Sixty-six percent consider data breaches high or very high risks today, while 65 percent rank them as such for the next year to two years. In addition, 65 percent say cybercrime is a high or very high risk to their organizations today, while 77 percent say it will be in the next 12 to 24 months. That's in contrast to the IT side, where 47 percent consider it a high risk today, and 49 percent expect that it will be in the next year to two years.

"We see a big disconnect between IT and security in their thoughts about data breaches and how risky that is to a business," says Pat Clawson, CEO of Lumension.

But the most disturbing disconnect was in actual breaches. While 92 percent of security professionals say their organizations had suffered a cyberattack, only 55 percent of IT staffers said the same, while 32 percent said they were uncertain. "That just floored me," Clawson says. "That shows the silos" that still exist, he says.

The two groups were far apart on Web 2.0 threats as well, with only 34 percent of IT saying the use of Web 2.0 will result in the loss of business information (including trade secrets), while 64 percent of IT security said it will. "That's a big delta -- IT is not 'getting' the risk," Clawson says.

Mobile devices is one area where both sides are on the same page, however, with nearly half of each group ranking them as a high or very high risk to the business. "We also think that mobility is dramatically contributing to data loss...mobility and mobile devices were the only area where IT and security got close" in their perceptions, Clawson says.

"The key for both IT operations and IT security is to find the common ground necessary to better wage this security battle together," says Larry Ponemon, chairman and founder of the Ponemon Institute.

Interestingly, both IT and security departments don't rate virtualization as high risk. But about half of each said the biggest danger with virtualizatoin is not being able to identify and authenticate users to multiple systems "and third parties' access to private files without authorization," according to the report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message