News Stay informed about the latest enterprise technology news and product updates.

Security pros focused on internal threat, training

A recent survey shows organizations are worried about risks posed by employees and increasingly interested in training as the network perimeter continues to crumble.

Organizations are shifting their focus to the threat posed by insiders and turning their attention to training and data protection, according to a recently released survey of information security professionals.

In the cyber world, we've been very neglectful about teaching people when something is not right.
Winn Schwartau,
founderSCIPP International

The 2008 Global Information Security Workforce Study, conducted by analyst firm Frost and Sullivan for certification organization (ISC)2, surveyed 7,548 information security pros worldwide.

Fifty-one percent of the respondents said internal employees pose the biggest threat to their organizations. The finding represents an ongoing trend in the past two to three years, as the numbers of remote workers and portable storage devices have jumped in the enterprise, said Rob Ayoub, Frost & Sullivan network security industry manager.

"That increases the chance of something happening, whether it's malicious employees or just someone with good intentions but walks out of the building with data so they can work at home," he said.

The survey's findings are supported by Information Security's Priorities 2008 survey, in which 70% of participants said they're worried about detecting and thwarting internal attacks.

Along with the focus on internal threats, respondents in the (ISC)2 survey view security awareness as critical for effective security management. Forty-eight percent said users following information security policy was the top factor in their ability to protect an organization.

Information Security's Priority 2008 survey:
In <i>Information Security's</i> Priorities 2008 survey, 1,149 readers cite many challenges, primary among those being mobility and security, identity and access management, protecting data and intellectual property and vulnerability management.

mobile security

identity management

data protection

vulnerability management





More and more, security teams are being tasked with running security awareness training for end users, from safe password practices to corporate policies, Ayoub said. "Industry-wide, security awareness training is becoming more important," he said.

Regulatory requirements and a stream of data breaches are leading more businesses to place more emphasis on security awareness, Winn Schwartau, founder of SCIPP International, a nonprofit provider of end-user security awareness training and certification, said in an interview in March. Still, some companies rely on technology to address behavioral problems while others do just the bare minimum when it comes to training their rank and file about security, he said.

"In the cyber world, we've been very neglectful about teaching people when something is not right," he said, adding that security awareness is critical for reducing risk in an organization.

(ISC)2's survey also indicated a growing need for professional training in certain security domains, with participants ranking security administration and secure application development as the top areas they want to increase their skills.

Security professionals also are optimistic that their organizations will increase spending for training this year. Nearly 60% of respondents in the Americas and Asia-Pacific reported that they expect training and education to increase in 2008.

"The upper levels of management are realizing they can't expect a security professional to do their job properly without continued training," Ayoub said. "As a result, folks are seeing more money going into the training while in other areas, we might see training cutbacks. Security is one area where respondents are reporting healthy increases."

The survey also found that, as an increasingly mobile workforce punches holes in the traditional network perimeter, companies are becoming more focused on data protection. Wireless security, cryptography, storage security and biometrics were the top five technologies that respondents said their organizations were planning to deploy. Ayoub said companies are implementing more security measures for their wireless networks because they "are a real path to the data."

The interest in biometrics, researchers said, shows the continued need for organizations to improve access controls to protect sensitive data.

Information Security's Priorities 2008 survey also showed heightened interest in protecting sensitive and confidential data. About 68% of readers surveyed said they will be spending more time on data protection this year. Some 66% said database security is important while 58% viewed creation of a data deletion and retention process as vital.

Despite a slow economy, Frost & Sullivan estimates the number of information security professionals to increase to almost 2.7 million by 2012, up from approximately 1.66 million today.

Dig Deeper on Security Awareness Training and Internal Threats-Information

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.