What keeps information security professionals up at night?

Article

What keeps information security professionals up at night?

What do information security professionals consider the biggest threat to their systems and businesses? According to a recent study commissioned by Unisys, the issue most responsible for disrupting

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

the sleep of top security executives is employee negligence or abuse of data warehouses or systems (97%). Insufficient resources to get the job done right (90%) is a close second.

Surprisingly, only 70% indicated that a catastrophic attack on IT infrastructure, including sophisticated viruses and expert hacker penetration was of most concern. Each respondent was asked in personal interviews to list up to five top issues in ascending order, higher percentages indicate a more frequently recognized issue.

Due to the lack of corporate resources, about 73% of participants in the study believed that they didn't have the staff to secure known security holes. About 80% of respondents said that outsourcing IT and data management activities to reduce costs created additional infosecurity risks that weren't being managed adequately.

The in-depth survey of 34 infosecurity professionals with direct responsibility for IT security services in their organizations revealed frustration with the lack of funds for preventative security measures. Some commented that the lack of resources causes them to make tough allocation decisions that may leave the company's critical infrastructure vulnerable.

Some of the greatest strains to the budget include hiring and retention, training and awareness programs, keeping up with new tools that might enhance security controls and implementing privacy safeguards.

These security professionals shared information security practices that they believe are key for complex business organizations.

  • Integrate information security management with the company's privacy, corporate compliance and internal audit initiatives.
  • Designate that the CISO report directly to senior management with periodic update reports to the CEO or board. Information security must be owned by a member of senior management to get enough budget authority to get the job done "right." Decentralized IT infrastructure in many companies makes it important to have employees in various autonomous IT units own responsibility for information security management.
  • Introduce enabling technologies that help prevent common threats to data security and privacy. While new technologies in perimeter control, connectivity and authentication could be of enormous value in mitigating security risks, many aren't being used due to limited time and budgets.
  • Create the best possible training program. Employee negligence is a major factor of serious security breaches. Teaching employees the "dos and don'ts" of information security can infuse the company with a culture that promotes personal accountability for safeguarding information and IT equipment.
  • Conduct vigorous internal monitoring of information security process and controls. Respondents acknowledged the importance of keeping a vigilant eye on the IT and data management infrastructure and of third-party audits, including the early identification of serious security holes and potential regulatory compliance breaches.

    Despite numerous challenges to maintaining security, participants also believe senior management is becoming more sensitive to security risks. Further, there is the growing realization that superior privacy practices can build trust and enhance the organization's reputation in the marketplace. As a result, security professionals are hopeful that they can turn today's security and privacy threats into tomorrow's business opportunities.

    About the author
    Larry Ponemon is chairman and founder of the Ponemon Institute, an organization focused on the development of privacy audits, privacy risk management and ethical information management. For more information about the Unisys Information Security Tracking Study, please contact the Ponemon Institute at mailto:research@ponemon.org.