Organizations are shifting their focus to the threat posed by insiders and turning their attention to training and data protection, according to a recently released survey of information security professionals.
The 2008 Global Information Security Workforce Study, conducted by analyst firm Frost and Sullivan for certification organization (ISC)2, surveyed 7,548 information security pros worldwide.
Fifty-one percent of the respondents said internal employees pose the biggest threat to their organizations. The finding represents an ongoing trend in the past two to three years, as the numbers of remote workers and portable storage devices have jumped in the enterprise, said Rob Ayoub, Frost & Sullivan network security industry manager.
"That increases the chance of something happening, whether it's malicious employees or just someone with good intentions but walks out of the building with data so they can work at home," he said.
Along with the focus on internal threats, respondents in the (ISC)2 survey view security awareness as critical for effective security management. Forty-eight percent said users following information security policy was the top factor in their ability to protect an organization.
More and more, security teams are being tasked with running security awareness training for end users, from safe password practices to corporate policies, Ayoub said. "Industry-wide, security awareness training is becoming more important," he said.
Regulatory requirements and a stream of data breaches are leading more businesses to place more emphasis on security awareness, Winn Schwartau, founder of SCIPP International, a nonprofit provider of end-user security awareness training and certification, said in an interview in March. Still, some companies rely on technology to address behavioral problems while others do just the bare minimum when it comes to training their rank and file about security, he said.
"In the cyber world, we've been very neglectful about teaching people when something is not right," he said, adding that security awareness is critical for reducing risk in an organization.
(ISC)2's survey also indicated a growing need for professional training in certain security domains, with participants ranking security administration and secure application development as the top areas they want to increase their skills.
Security professionals also are optimistic that their organizations will increase spending for training this year. Nearly 60% of respondents in the Americas and Asia-Pacific reported that they expect training and education to increase in 2008.
"The upper levels of management are realizing they can't expect a security professional to do their job properly without continued training," Ayoub said. "As a result, folks are seeing more money going into the training while in other areas, we might see training cutbacks. Security is one area where respondents are reporting healthy increases."
The survey also found that, as an increasingly mobile workforce punches holes in the traditional network perimeter, companies are becoming more focused on data protection. Wireless security, cryptography, storage security and biometrics were the top five technologies that respondents said their organizations were planning to deploy. Ayoub said companies are implementing more security measures for their wireless networks because they "are a real path to the data."
The interest in biometrics, researchers said, shows the continued need for organizations to improve access controls to protect sensitive data.
Information Security's Priorities 2008 survey also showed heightened interest in protecting sensitive and confidential data. About 68% of readers surveyed said they will be spending more time on data protection this year. Some 66% said database security is important while 58% viewed creation of a data deletion and retention process as vital.
Despite a slow economy, Frost & Sullivan estimates the number of information security professionals to increase to almost 2.7 million by 2012, up from approximately 1.66 million today.