Skip Links

A fistful of security fixes to help CSOs stay ahead of risks

Enterprises are having a challenging time getting ahead of security risks, but experts say a handful of long-term improvements could help

By George V. Hulme, CSO
December 10, 2013 03:51 PM ET

CSO - No matter how valiant the efforts of chief security officers, or how much businesses say they focus on securing their systems, or the amount of money spent on IT defenses -- many of the same IT security challenges persist.

[Detect and respond: How organizations are fighting off targeted attacks faster]

Enterprises lag in their ability to swiftly detect breaches -- an important measure of security maturity. According to the 2013 Verizon Data Breach Investigations Report, 62 percent of organizations didn't detect breaches for months, or longer -- and partners and customers, or others identified about 70 percent of those breaches.

There's clearly much room for improvement, but as the number, duration, and costs of attacks reveal, as well as our interviews in recent weeks, there certainly won't any quick fixes. However, according to the experts we've spoke there are a handful of areas that, if dramatically improved, would significantly shorten today's chasm between defender and attacker.

1. Close the skills gap

One of the challenges cited repeatedly during our interviews is the difficulty organizations have finding the security talent they need. Earlier this year the International Information Systems Security Certification Consortium conducted a study that found more than half -- 56 percent -- of organizations believe their security departments are understaffed.

The challenge here is that technology and attack methods are moving swiftly, and so are adversaries, but formal education and corporate training isn't keeping pace producing security skills needed with constant changes in mobility, cloud architectures, virtualization, and others.

"We are always seeing conversations about staffing concerns," says Daniel Kennedy, research director for information security and networking at 451 Research. "And it's not just small and mid-sized companies that are having trouble finding and retaining talent, it's a problem even at the top," he says.

2. Shifting away from a regulatory compliance mindset

One of the most necessary shifts is that from a focus on regulatory audits and compliance to security risk management. Many enterprises have spent years -- justifiably -- with a focus on regulatory compliance. However, many say, the focus remained too intently on compliance and not enough on the essential security of their data, applications, and infrastructure.

And despite this focus on regulatory compliance, there's little in way of improved outcomes to show for the effort. Our eleventh annual Global Information Security Survey, conducted by PricewaterhouseCoopers CSO, and CIO magazine, found that the loss or damage of internal records more than doubled in one year.

[Enterprise defenses lag despite rising cybersecurity awareness]

"This focus on regulatory compliance, rather than security, has been underway for many years," says Candy Alexander, former CISO at Long Term Care Partners, LLC, and currently a member of the board of directors at the Information Systems Security Association.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News