One of the things I have come to accept working in the security field is that most security pros are usually depressed about the state of security. It used to be worse, in fact. A few years ago attending a security conference all one would hear is about how there was no innovation in security, the bad guys were winning all the time, no one took security seriously enough, etc.
But in the last year or so, I have seen glimmers of hope. We are seeing new ideas and methods in security, new companies and new ways of thinking. But all is not rosy. nCircle recently released the results of their third annual security and compliance trends survey. Not surprisingly, it shows that security pros still feel that we face an uphill battle in the cybersecurity battle.
RELATED: Security: An Inconvienient Truth
I spoke about the results of the survey with my friend Elizabeth Ireland, VP of marketing at nCircle. Elizabeth told me that nCircle received over 500 responses to this year's survey from contacts who identified themselves as security professionals.One of the most surprising trends to Elizabeth was that, despite all of the money and attention that cybersecurity garners, security pros still largely expect to suffer more breaches this year than last year. This is a trend that has remained constant over the three years, at 90 to 95%.
Ireland says, "an overwhelming majority of security professionals continue to expect the number of data breaches to increase. It's not clear if this expectation is a result of hackers getting better or security getting worse." So in spite of all of the attention, budget and resources, we overwhelmingly don't expect the amount of breaches to decrease. Elizabeth questions whether this means security pros think in spite of it all, we are not making any progress.
Not surprisingly, compliance concerns still tops the list of what security folks think is their biggest challenge. However, I was surprised to see that APTs (advanced persistent threats) had risen to the number two slot.
Another interesting trend is the seemingly illogical beliefs that while cybersecurity in the U.S. continues to grow (though that belief is trending downward) a majority of security pros believe our own data is still less secure than it was two years ago.
So it seems that while cybersecurity is in the news, those of us on the front lines still believe that we are very vulnerable to breach and that the situation has remained pretty consistent over the last three years. Hopefully, continued efforts in cybersecurity will begin to change this in the years to come.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.