The latest research from ESG calls attention to a serious problem in our industry that shouldn’t come as a surprise to most: "firefighting" – that is, chasing quick fixes for problems or their symptoms – is preventing security professionals from effective strategy development and execution. Logically, this makes sense. More time spent trying to quickly or temporarily fix security issues means less time to focus on developing an effective security program to mitigate the greater causes of those issues.

ESG senior principal analyst Jon Oltsik summarized their findings, stating that "Our data shows that security professionals know that endpoints are at risk, but their current responses still seem tactical and incident-driven."

Jon’s recommendation for security teams? "It’s time to take a more holistic view of endpoint security and determine which tools, such as advanced malware detection and granular data security, will and should top the list of any comprehensive solution, whether that’s from a single vendor or a combination of best-of-breed technologies."

As data breaches continue to rise in both frequency and impact, security pros certainly recognize that their endpoints – and ultimately their data – are at risk. However, only one third of respondents are taking a strategic approach to addressing those risks. Over half of those surveyed reported increased endpoint security budgets, but said that most of those budgets are being spent on antivirus solutions (and if you need convincing as to the efficacy of those tactics, go ahead and ask Symantec if antivirus still works). To make matters worse, many organizations are buying multiple different AV solutions or changing AVs constantly, an approach doomed only to increase complexity, hinder end user performance, and strain IT resources.

Over half of those surveyed are seeking a comprehensive endpoint security solution from a single vendor, but survey results indicate that security professionals are still in firefighting mode, reluctant to deviate from the information security status quo. Will 2015 be the year we see a shift towards strategic information protection?

Note: the full report from ESG will be published later in the year. Stay tuned!