Security pros focused on internal threat, training

By Marcia Savage, Features Editor, Information Security magazine 05 May 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Organizations are shifting their focus to the threat posed by insiders and turning their attention to training and data protection, according to a recently released survey of information security professionals.

In the cyber world, we've been very neglectful about teaching people when something is not right. Winn Schwartau, founder, SCIPP International

The 2008 Global Information Security Workforce Study, conducted by analyst firm Frost and Sullivan for certification organization (ISC)2, surveyed 7,548 information security pros worldwide.

Fifty-one percent of the respondents said internal employees pose the biggest threat to their organizations. The finding represents an ongoing trend in the past two to three years, as the numbers of remote workers and portable storage devices have jumped in the enterprise, said Rob Ayoub, Frost & Sullivan network security industry manager.

"That increases the chance of something happening, whether it's malicious employees or just someone with good intentions but walks out of the building with data so they can work at home," he said.

The survey's findings are supported by Information Security's Priorities 2008 survey, in which 70% of participants said they're worried about detecting and thwarting internal attacks.

Along with the focus on internal threats, respondents in the (ISC)2 survey view security awareness as critical for effective security management. Forty-eight percent said users following information security policy was the top factor in their ability to protect an organization.

Information Security's Priority 2008 survey: In <i>Information Security's</i> Priorities 2008 survey, 1,149 readers cite many challenges, primary among those being mobility and security, identity and access management, protecting data and intellectual property and vulnerability management. mobile security identity management data protection vulnerability management compliance Cisco consolidation NAC

More and more, security teams are being tasked with running security awareness training for end users, from safe password practices to corporate policies, Ayoub said. "Industry-wide, security awareness training is becoming more important," he said.

Regulatory requirements and a stream of data breaches are leading more businesses to place more emphasis on security awareness, Winn Schwartau, founder of SCIPP International, a nonprofit provider of end-user security awareness training and certification, said in an interview in March. Still, some companies rely on technology to address behavioral problems while others do just the bare minimum when it comes to training their rank and file about security, he said.

"In the cyber world, we've been very neglectful about teaching people when something is not right," he said, adding that security awareness is critical for reducing risk in an organization.

(ISC)2's survey also indicated a growing need for professional training in certain security domains, with participants ranking security administration and secure application development as the top areas they want to increase their skills.

Security professionals also are optimistic that their organizations will increase spending for training this year. Nearly 60% of respondents in the Americas and Asia-Pacific reported that they expect training and education to increase in 2008.

"The upper levels of management are realizing they can't expect a security professional to do their job properly without continued training," Ayoub said. "As a result, folks are seeing more money going into the training while in other areas, we might see training cutbacks. Security is one area where respondents are reporting healthy increases."

The survey also found that, as an increasingly mobile workforce punches holes in the traditional network perimeter, companies are becoming more focused on data protection. Wireless security, cryptography, storage security and biometrics were the top five technologies that respondents said their organizations were planning to deploy. Ayoub said companies are implementing more security measures for their wireless networks because they "are a real path to the data."

The interest in biometrics, researchers said, shows the continued need for organizations to improve access controls to protect sensitive data.

Information Security's Priorities 2008 survey also showed heightened interest in protecting sensitive and confidential data. About 68% of readers surveyed said they will be spending more time on data protection this year. Some 66% said database security is important while 58% viewed creation of a data deletion and retention process as vital.

Despite a slow economy, Frost & Sullivan estimates the number of information security professionals to increase to almost 2.7 million by 2012, up from approximately 1.66 million today.

Tags: Security Awareness Training and Internal Threats,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Software security threats and employee awareness training Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary