Security incidents can slip right past an IT shop amid a merger, tight staffing or when technology deployments outpace an enterprise's ability to keep up. In a recent survey, some IT professionals admitted this is exactly the scenario they're dealing with.
"Organizations are putting in new systems and software all the time, and in the process they keep uncovering new vulnerabilities," said Pamela Fredericks, manager of security advisory services for security firm Forsythe Solutions Group, a unit of Skokie, Ill.-based Forsythe Technology Inc. The company recently asked more than 100 senior IT and data security professionals how confident they are in their security procedures.
In all, 28% of respondents said they have "little or no confidence" that they've detected all significant security breaches in the past year. Meanwhile, 26% rated their current IT environment as more vulnerable than it was the year before.
On the plus side, a vast majority of those surveyed -- 74% -- said they feel less vulnerable than the year before.
Respondents were asked, "How confident are you that all significant security breaches that have occurred over the past year have been caught?" Twenty percent said they are very confident, 53% said they're moderately confident, 21% said they're not very confident and 7% said they're not at all confident.
"If companies absorb other divisions or merge with other companies, it creates even more uncertainty and a situation where things can fall through the cracks," she said. "One person noted all the new services their organization manages and said there's simply more traffic, more types of attacks and more things going on than they feel they can adequately address."
The 26% who said they're more vulnerable to attacks now than a year ago cited, among other things, uncertainty following acquisitions, new services that didn't go through a security review and increased Internet exposure as more systems are deployed. Those feeling less vulnerable cited such factors as intrusion-prevention system (IPS) deployment, the hiring of a security officer and better awareness, education and authentication procedures.
When asked to identify the area of security that will consume most of their time and effort in the year ahead, 43% listed "policy, process and procedure." Fredericks said the response illustrates the influence regulatory compliance continues to have on security spending.
"Regulations like Sarbanes-Oxley, HIPAA and [Gramm-Leach-Bliley] have stimulated the demand for better security 'policies, processes and procedures,'" she said. "I'm certain that these items would have been a low or nonexistent priority had we asked these questions a few years ago."
Overall, Fredericks said, the findings illustrate the need for a comprehensive yet clear security program. "That's what the regulations are looking for," she said. "The SOX internal controls are part of that. If you install technology for security, you have to have some sort of process and policy behind it, and you need the people in place to support that."