Look for this year to mark the start of a new era in information security – the era of outsourcing security. So advises CounterTack’s CTO Michael Davis in InformationWeek Reports summary of the 2014 Strategic Security Survey (registration required to download report).
Managing the complexity of security remains the top challenge facing the 536 respondents (all from companies with 100 or more employees) to the annual survey. The main culprits are personal devices. According to the survey report, 58% of the respondents see an infected personal device connecting to the corporate network as a top security concern, even more so than phishing and lost devices. Almost as many (56%) say cyber criminals pose the greatest threat to their organizations this year, followed by authorized users and employees (49%).
Perhaps most discouraging is the fact that 75% of the responding organizations are as or more vulnerable to malicious code attacks and security breaches than they were a year ago. The reasons: the threats are more sophisticated (77%), there are more ways than ever to attack a corporate network (66%), and budget constraints (40%). Despite the increasing complexity and avenues for threats, companies are only spending 1% to 5% on security; the same amount as Gartner reported in 2010, Davis pointed out.
“Look behind the numbers and it becomes clear the issue isn’t just, or even mostly, about technology,” Davis said. “It’s about a lack of people to execute.” He added that most business executives realize they must do something about security, but that awareness doesn’t necessarily translate into a bigger budget for the chief information security officer. It still comes down to measuring the value of security investments. Even with record-setting breaches, most organizations still measure the value of their security investments by whether they pass a third-party audit, the report revealed.
Add a shortage of skilled security professionals on the market and it is understandable why outsourcing to multiple security services providers (MSSPs) is gaining the attention of business executives. The 2014 IT Budget Outlook Survey found that half of the respondents outsource 20% or more of their IT operations and 28% outsource 40% or more. “And plenty of large trusted technology vendors are in the MSSP business, so get used to the idea being on the table,” advised Davis.
From an information governance perspective, ARMA would encourage those considering this outsourcing not to fall into the trap of thinking they also outsourced ultimate accountability for the effectiveness of the security measures. At the end of the day, we can expect customers to still hold the primary company responsible for how their data is secured, protected, and used. If a breach occurs, it is unlikely they’ll hold the supplier responsible instead of the company they initially shared the information with.