The TechTarget 2015 Annual Salary and Careers Survey polled 1,783 IT professionals in North America between June and September of 2015. Among those who said that security was one of their top three concerns (354 respondents), IT risk management and regulatory compliance were also cited as top concerns by, respectively, 34% and 25% of those respondents.
Among senior IT executives with a security focus who were planning for 2016, however, the order of importance shifted: 23% cited compliance as a top three concern, while 18% cited risk management.
More than anything else, security-focused respondents are aiming to improve operational efficiencies in 2016, but experts said it may be difficult to improve efficiency when it comes to IT risk management and regulatory compliance.
Ryan Barrett, vice president of security and privacy at Intermedia, said risk management can feel time-consuming because the process can be very long and results may not appear for months or years.
"It involves constantly measuring risk (which is subjective), guessing at the likelihood (also subjective) and coming up with a plan to mitigate the risk. Following that risk from the beginning (identification) to the end (mitigation) can be long and boring," Barrett said. "It's not the sexiest part of Information Security, but it truly can yield some tangible results in keeping the business safe. The road may be long, but it's worth traveling."
Jeff Schilling, CSO for Armor Defense Inc., said that understanding time and resource limitations is often the key to risk management.
"First, set up three risk categories (high, medium and low). Next, build your IT architecture to allow you to have the best visibility and detection capabilities across your high-risk category workloads and focus your patching, protection and detection operations on the highest risk workloads," Schilling said. "You may make the assessment that your organic security may not have the tools or experience to protect your highest classification data. At that point, you should consider outsourcing to a secure hosting environment that does have the needed tools and skilled security team. The other thing I would recommend is assume your user environment is compromised. Build your access management systems with two-factor authentication and role-based access [control] to narrow the risk."
Paul Nicholson, director of product marketing at A10 Networks, said the act of prioritizing risk can be time-consuming because of where sensitive data is located, and the emerging risks faced can be unique to each company.
"Risk management is so time-consuming because organizations must understand where sensitive data is in their organization by discovering and classifying that data and then continually assess[ing] and prioritize[ing] their risks based on this information," Nicholson said. "IT teams must look at emerging risks that are unique to their organization or their industry and look at general security risks -- such as a critical application vulnerability -- to effectively manage risks."
A vice president of IT Security and Compliance at a small business who responded to the survey, but wished to remain anonymous, said risk management was time-consuming because of limited resources.
"In the ideal world, I'd have an unlimited budget, and a business model that is inherently safe," the respondent said. "However, in the absence of those two items: I'm striving to more completely engage the C-Staff and board of directors to build an agreed upon risk appetite, from which I can then apply technical controls to support. The real challenge right now is that I'm largely operating in a vacuum. Assuming I can gain traction with the C-Staff, I'll gain a reasonable budget, and from that, I will definitely be automating as much as possible."
In terms of compliance, Barrett said that every industry offers unique regulatory challenges and many industries are required by legislation to comply with long-term data management regulations.
"Compliance is often determined on three factors," Barrett said, "security: data must be safeguarded against all threats to its integrity; permanence: data must be retained in its original state without being altered; and auditability: data must be accessible in a timely manner when required."
Schilling said a problem with regulations is that many are based on a potentially outmoded network-centric approach to security, and he suggests a data-centric approach would be better.
"You should focus your biggest efforts on protecting your data centers where your applications and databases live. After all, that is what the threat actors are after," Schilling said. "Start security from the inside out. Protect the data base with application level encryption that keeps only those with access to the keys from ever getting access to unencrypted data; put anomaly monitoring between the database and the application; and put strong authentication (multi-factor) between the application and the user and only allow the user to view and/or interact with the data, not download it."
Nicholson said regulatory compliance is time-consuming because organizations often need to comply with multiple regulations with different objectives and requirements.
"Not only do they need to implement appropriate security, privacy and change management controls, but they need to document these controls to auditors and regulators," Nicholson said. "Automation tools and technologies can help organizations accelerate compliance processes. Dedicated products, such as Web application firewalls and network firewalls and DDoS mitigation tools, can help organizations address compliance requirements, like PCI DSS requirement 6.6, HIPAA, and regional financial regulations, by protecting credit card data, personally identifiable information, and financial records from compromise. Many security tools can also produce reports and logs then can document compliance."
The unnamed survey respondent said dealing with multiple regulation standards was painful.
"Maintaining compliance would be easier if I had a single-source location where the various regulations that apply to our company could be lined up, and all the common facets, as well as the uncommon facets of the regulations, would be called out so that compliance efforts could be weighted for maximum effect across multiple regulations."
Despite the time-consuming chore of maintaining regulatory compliance, the respondent said it did improve security but that may not always be the case.
"At this stage, compliance is actually helping me call out security issues that expose the company to regulatory compliance issues," the respondent said. "However, I can see a point in the future, where certain compliance issues will no longer be directly related to security issues, and that divergence will be where I start to have a negative correlation between security and compliance."
Learn about managing shadow IT risks to the business.
Learn about avoiding the dangers of weak third-party controls.
Learn about overcoming legal and regulatory compliance hurdles.