“Rarely is the question asked ‘is our children learning?’” former President Bush famously observed. The same might be said of our information security teams. And, if a recent survey by The SANS Institute is any indication, the answer to that (rhetorical) question is “no.”
The survey of SANS members focused on measuring whether information security practitioners are taking steps to prevent data breaches from happening. The results suggest that the vast majority of IT organizations are not.
The survey, Breach Detected! Could It Have Been Prevented?, was sponsored by the security firm Palo Alto Networks and full results will be published next week. But preliminary results from the survey suggest that “an apparent disconnect” exists “between what is considered preventive by the majority of respondents and the measures that have been implemented for prevention.” In other words: information security teams aren’t walking the talk when it comes to preventing breaches.
For example, 85 percent of respondents to the survey identified measures to block known malware as a means of data breach prevention. Still, less than half (40 percent) have implemented technology or other measures to do that.
Similarly, 63 percent identified robust testing of applications as a preventive measure. Again: only 39 percent of survey respondents said their organization performs robust testing. An almost identical disparity was found when survey respondents were asked about “metrics-based evaluation and reporting” – that is: 60 percent of those surveyed recognized it as a useful measure, but only 40 percent relied on it.
What gives? Digging into the “why” of this gap between awareness and prevention, the SANS survey uncovered a list of the usual suspects. Respondents said that they lacked staff, budget and the skills needed to prevent breaches. Legacy infrastructure was also a factor, diverting resources and prohibiting organizations from taking more aggressive steps to protect data.
"Data collected from survey respondents (sp) points to the need to better define prevention in terms of the metrics (qualitative or quantitative) that can be used to explain and justify preventive measures to management/decision makers in an organization," said SANS Institute senior analyst and survey paper author Barbara Filkins.
This isn’t the first survey to identify the “disconnect.” In fact, a survey of IT professionals by the firm Gemalto found similar problems (see: “Security Investments and the Definition of Insanity”). In that survey, IT pros expressed low levels of confidence that their organization could stand up to an attack, with 69 percent of the 1,100 IT decision makers surmising that their organization’s data would not be secure if an unauthorized user penetrated their network. In that survey also, misplaced priorities were identified as a problem. Specifically: allocations to maintain perimeter defenses were squeezing out investments in data security tools that might prevent or mitigate breaches, Gemalto found.
Clearly, more work needs to be done to align IT security efforts with what everyone seems to recognize are “best practices” – particularly in the area of data leak prevention. Whether and how the IT stars might allow to make that happen is, however, an open question.