Disturbing spending gap in enterprise IT security resources
Based on a survey of nearly 500 top-level security experts who have attended the annual Black Hat USA conference, this research highlights the trends and pitfalls of the InfoSec world with responses from one of the most security-savvy audiences in the industry.
The survey revealed a significant gap between the top concerns that keep security professionals awake at night, compared to the tasks that keep them occupied during the day.
Sophisticated Targeted Attacks: 57% of respondents indicated attacks targeted directly at their organization as their greatest concern. However, only 26% indicated that mitigating these attacks were among the top three security spending priorities in their organization. Further, only 20% said targeted attacks were among the top three tasks they spend the most time on day-to-day.
Social Engineering: At 46%, the second greatest concern was phishing, social network exploits or other forms of social engineering. Yet, only 22% indicated their organization spends a large portion of their security budget here. And only 31% indicated that they spend a large amount of their time on social engineering.
If not on their top concerns for the business, where are security professionals spending their time?
More than a third of Black Hat attendees said that their most time-consuming tasks are in addressing vulnerabilities introduced by internally developed software (35%) and vulnerabilities introduced by off-the-shelf software (33%).
The data suggest that application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.
Nearly three quarters (73%) of respondents think it is likely that their organizations will have to deal with a major data breach in the year ahead. A key reason for security professionals' concerns about future attacks is the shortage of resources that they feel in their own organizations:
Staffing Shortage: Only 27% of respondents said they feel their organization has enough staff to defend itself against current threats.
Measly Budgets: Only one-third (34%) said their organization has enough budget to defend itself against current threats.
In Need of Training: While 36% said they have the skills they need to do their jobs, some 55% said they could use some training. ■