Chicago-based Trustwave confirmed rising levels of job-related stress in the data security trade. The company’s third annual 2016 Security Pressures Report, published Feb. 10, 2016, is based on a survey of 1,414 in-house information security professionals in the United States, Canada, the United Kingdom, Australia and Singapore.
The report compiled three consecutive years of aggregated data, offering strategies for mitigating battle fatigue related to fighting cyber criminals. The survey was conducted by email between November and December 2015, with a 3 percent margin of error, the company stated.
Respondents included high-level security executives from a variety of sectors: technology (31 percent), manufacturing (10 percent), financial services/banking (9 percent), and retail and professional services (both 8 percent).
“Security professionals are under a lot of pressure, not only from advanced threats and the larger attack surface, but also from lack of skills and resources,” said Dan Kaplan, Online Content Manager at Trustwave and author of the report. “This causes a lot of organizations and professionals to feel that they don’t have the means of achieving desired levels of security.”
Insights, concerns
Tyler Hardison, Security Analyst at Redhawk Network Security in Bend, Ore., and former Chief Information Officer of a California credit union, emphasized the value of sharing knowledge across the entire security information value chain. “It’s gratifying to see that the overall concern for security has increased among corporations and the individuals responsible for their institutions,” Hardison said. “This is due in part to the increased reporting requirements and regulatory pressures. Additionally, it should be noted that media reports of breaches have dramatically improved as well as the telling of the stories behind these incidents.”
Following is a summary of key findings in the report:
- Job pressure: Sixty-three percent of information security professionals felt more pressure to secure their organizations in 2015 compared with the previous 12 months; 65 percent expect to feel additional pressure in 2016. Those numbers grew 9 percent and 8 percent, respectively, compared with the same period last year.
- Skill shortage: Shortage of security expertise was a third-place concern, following advanced security threats and adoption of emerging technologies.
- Boardroom pressure: Forty percent of respondents reported a spike in job-related pressure immediately proceeding or following company board meetings, 1 percent higher than stress of a reported data breach incident. “The trip to the board room is not as easy as it used to be, for many security professionals,” Kaplan noted. “Board members who may have once asked, ‘Am I safe?’ have become more attuned to security issues and are asking more pointed questions.”
- Detection versus prevention: The largest security responsibilities facing 54 percent of respondents concerned detecting vulnerabilities, malware and compromised systems, and not preventing them.
- Third-party providers: The number of respondents who partner or plan to partner with managed security services providers has climbed from 78 percent to 86 percent. “Many organizations that face skill shortages or may not be ready to [build a comprehensive security infrastructure] on their own, are looking outside to managed service providers or are bringing a specialist in-house to amplify areas where they are struggling,” Kaplan said.
- Not ready for prime time: Seventy-seven percent of respondents (nearly four in five) are pressured to unveil IT projects that aren’t security ready.
- Emerging security technologies: Pressure to select security technologies containing all of the latest features has jumped from 67 percent to 74 percent among respondents. Having proper resources to use them fell to 69 percent from 71 percent.
- Internet of Things (IoT) threats: Strategies for protection in the expanding universe of connected devices comprising the IoT is a leading concern, second only to adopting and deploying cloud-based technology.
- Data and DDoS gloom: Customer data theft and intellectual property theft remain worst-case scenarios that occur after a data breach. Distributed denial of service attacks can disable websites and remain a leading cause of stress, as well.
- Understaffed departments: If they had the option, 24 percent to 29 percent of respondents would quadruple their staff from its current size.
- Job loss: This is the third-highest post-breach repercussion fear. It grew from 8 percent to 11 percent.