CISOs are struggling to balance compliance mandates with an ever-changing threat landscape, according to a new survey by McAfee Inc., and much of the technology being deployed to reduce the strain is being driven by the need to improve visibility and maintain compliance.
Overall it appears enterprises recognize they cannot efficiently address risk unless they understand what they are up against and can apply the appropriate controls.
Enterprise risk management is growing increasingly complex. The Risk and Compliance Outlook: 2012 (.pdf) report found that visibility is a constant challenge among increasingly complex systems. The survey found database security and security information and event management (SIEM) platforms among the top priorities, driven by the need to detect targeted attacks. The survey was conducted in January by Malvern, Penn.-based market research firm Evalueserve Inc. It included responses from 438 IT decision makers, administrators, consultants and security analysts who indicated they were involved in the evaluation, selection and day-to-day management and maintenance of security products.
McAfee said database security was a top challenge due to the increasing number of high-profile data security breaches and tougher regulatory mandates designed to protect sensitive information stored in company data centers. Survey respondents said the top two controls implemented to address visibility were database activity monitoring and configuration change management for enterprise infrastructure. While database management system (DBMS) vendors have security features and tools, about half of those surveyed indicated they use dedicated database security tools. About 42% said vendor security features protect their databases.
In addition, approximately 40% of organizations are planning to implement or update a SIEM platform, according to the survey. The goal is to improve visibility into applications, system logs and conduct event correlation to detect and flag anomalous behavior before it becomes a serious problem. But the survey found compliance is a bigger driver of SIEM.
Log management and maintaining an audit trail of activity is an important part of verifying to assessors that compliance mandates are being met, according to the McAfee report. The biggest challenge for demonstrating compliance, according to survey respondents, is to maintain compliance, followed by automating IT controls. Two-thirds of those surveyed said their organization was working to comply with ten or fewer frameworks or regulations.
“Mature risk averse organizations have well-defined risk management programs that address IT vulnerability in a business risk context, and therefore, address these issues more efficiently,” according to the survey. Factors that help enterprises gauge risk, according to the survey, include threats (87%) and vulnerabilities (83%), followed by countermeasures in place to thwart threats (71%), the value of assets (66%), and out-of-cycle patches (63%).
Patch management woes
Patch management frequency is a challenge, according to survey respondents. Survey respondents indicated that out-of-cycle patches cause major disruptions to both business and IT teams. About 70% of respondents indicated there is an impact due to out-of-cycle patches. More than half indicated it was a major impact.
Almost half of the organizations surveyed indicated patches are being deployed on a monthly basis. One-third are patching on a weekly basis. But not all companies are able to pinpoint threats or vulnerabilities, McAfee said. As a result, 43% indicated they overprotect and patch everything they can.
“Overall it appears enterprises recognize they cannot efficiently address risk unless they understand what they are up against and can apply the appropriate controls,” McAfee said in its report. “Without this knowledge and insight, the effectiveness of any security and compliance efforts cannot be effectively measured against the risks they are intended to mitigate.”
Organizations buying software, appliances to address risk, compliance
The survey found 96% of security budgets are remaining flat or rising in 2012, with about 30% of IT projects being driven by compliance mandates.
Software or appliance purchases for an in-house deployment (90%) was among the favorite approach for risk and compliance products, followed by managed security services (80%). The survey also found that Software as a Service (SaaS) was growing in popularity with two-thirds of respondents indicating they plan to use SaaS software for risk and compliance initiatives. “Comparing ‘deployed’ to ‘planned’ deployment methods indicates that while traditional methods are still favored – more than likely due to integration needs with existing infrastructure – there is a noticeable uptake in both the virtual machine and SaaS deployment methods,” according to the McAfee report.