Security pros focused on internal threat, training

By Marcia Savage, Features Editor, Information Security magazine 05 May 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Organizations are shifting their focus to the threat posed by insiders and turning their attention to training and data protection, according to a recently released survey of information security professionals.

In the cyber world, we've been very neglectful about teaching people when something is not right. Winn Schwartau, founder, SCIPP International

The 2008 Global Information Security Workforce Study, conducted by analyst firm Frost and Sullivan for certification organization (ISC)2, surveyed 7,548 information security pros worldwide.

Fifty-one percent of the respondents said internal employees pose the biggest threat to their organizations. The finding represents an ongoing trend in the past two to three years, as the numbers of remote workers and portable storage devices have jumped in the enterprise, said Rob Ayoub, Frost & Sullivan network security industry manager.

"That increases the chance of something happening, whether it's malicious employees or just someone with good intentions but walks out of the building with data so they can work at home," he said.

The survey's findings are supported by Information Security's Priorities 2008 survey, in which 70% of participants said they're worried about detecting and thwarting internal attacks.

Along with the focus on internal threats, respondents in the (ISC)2 survey view security awareness as critical for effective security management. Forty-eight percent said users following information security policy was the top factor in their ability to protect an organization.

Information Security's Priority 2008 survey: In <i>Information Security's</i> Priorities 2008 survey, 1,149 readers cite many challenges, primary among those being mobility and security, identity and access management, protecting data and intellectual property and vulnerability management. mobile security identity management data protection vulnerability management compliance Cisco consolidation NAC

More and more, security teams are being tasked with running security awareness training for end users, from safe password practices to corporate policies, Ayoub said. "Industry-wide, security awareness training is becoming more important," he said.

Regulatory requirements and a stream of data breaches are leading more businesses to place more emphasis on security awareness, Winn Schwartau, founder of SCIPP International, a nonprofit provider of end-user security awareness training and certification, said in an interview in March. Still, some companies rely on technology to address behavioral problems while others do just the bare minimum when it comes to training their rank and file about security, he said.

"In the cyber world, we've been very neglectful about teaching people when something is not right," he said, adding that security awareness is critical for reducing risk in an organization.

(ISC)2's survey also indicated a growing need for professional training in certain security domains, with participants ranking security administration and secure application development as the top areas they want to increase their skills.

Security professionals also are optimistic that their organizations will increase spending for training this year. Nearly 60% of respondents in the Americas and Asia-Pacific reported that they expect training and education to increase in 2008.

"The upper levels of management are realizing they can't expect a security professional to do their job properly without continued training," Ayoub said. "As a result, folks are seeing more money going into the training while in other areas, we might see training cutbacks. Security is one area where respondents are reporting healthy increases."

The survey also found that, as an increasingly mobile workforce punches holes in the traditional network perimeter, companies are becoming more focused on data protection. Wireless security, cryptography, storage security and biometrics were the top five technologies that respondents said their organizations were planning to deploy. Ayoub said companies are implementing more security measures for their wireless networks because they "are a real path to the data."

The interest in biometrics, researchers said, shows the continued need for organizations to improve access controls to protect sensitive data.

Information Security's Priorities 2008 survey also showed heightened interest in protecting sensitive and confidential data. About 68% of readers surveyed said they will be spending more time on data protection this year. Some 66% said database security is important while 58% viewed creation of a data deletion and retention process as vital.

Despite a slow economy, Frost & Sullivan estimates the number of information security professionals to increase to almost 2.7 million by 2012, up from approximately 1.66 million today.

Tags: Security Awareness Training and Internal Threats,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence Tabletop exercises sharpen security and business continuity Security policies need simplifying, expert says Microsoft IE 8 security only benefits educated users Security book chapter: The Truth About Identity Theft How to integrate the security of both physical and virtual machines Laid off workers likely to steal company data, survey warns Information security book excerpts and reviews How to block adult websites from enterprise users by logging content Identity Theft and Data Security Breaches Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Courts turn aside data breach suits Data security best practices for PCI DSS compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary