Cost considerations limiting Australian CSOs' decision-making, but shouldn't be: survey
- 20 December, 2013 10:53
Australian CSOs' decision-making was driven more by economic conditions in 2013 than any other factor, according to a recent survey that also found bring your own device (BYOD) strategies continue to represent the biggest security headache for information-security executives.
Nearly 45 percent of the respondents to the survey, conducted by security vendor WatchGuard Technologies amongst 186 respondents across Australia and New Zealand, found that economic restrictions influenced their security purchases and strategy.
By contrast, other critical areas – including protection against data loss, damage to company reputation, regulatory compliance and internal policy compliance – were each only nominated by five percent of respondents.
The survey also teased out information about the frequency of regular risk assessments, with 27 percent of organisations conducting their assessments once or twice a year; 20 percent running quarterly or monthly assessments; and 19 percent running tests daily or weekly.
Fully 10 percent of respondents said they test their IT security protection less than once a year.
Regular testing of security protections is widely recognised as important to ensuring security protections remain effective despite organisational and technical change – particularly in the context of compliance with standards such as PCI DSS, which will increase the expectations of companies handling credit-card data when its 3.0 iteration is gradually rolled out over the next two years.
Such requirements are steadily increasing the requirement for CSOs to take proactive and regular steps to ensure information-security integrity – with many needing to increase the frequency of their IT policy reviews to ensure they address changing security requirements.
Although 43 percent of respondents run their entire security infrastructure inhouse, fully 30 percent of respondents said they only review security policies as needed, with six percent saying they never conduct policy reviews because they have no documented policies to review.
The numbers were even more significant because 18 percent of respondents leave the management of their security equipment to a service provider – an activity that is widely understood to require additional oversight to ensure continuing compliance with regulatory, legislative and best-practice standards.
Given the need to improve overall security protection mechanisms, WatchGuard ANZ regional director Pat Devlin said in a statement that it was “deeply concerning that economic conditions can have such a strong influence over the setting of an organisation's security strategy.”
“While everyone understands that budgets may be tight at times, cost should never be a reason for introducing short cuts when setting security standards,” he continued. “The financial costs and damage to an organisation’s reputation from a single security breach can have a significant and critical long-term impact.”
Changes in CSO behaviour will boost visibility of security initiatives, with WatchGuard going so far as to name 2014 'The Year of Security Visibility” as recent breaches of large organisations' security defences drive them in 2014 to deploy security tools to help identify vulnerabilities and set stronger policies to protect crucial data.”
“Outdated legacy defences, misconfigured security controls, and oceans of security logs make it impossible for security professionals to protect their networks and recognise important security events,” the company warned in its list of eight security predictions for the coming year.
Top-level victims, WatchGuard warned, will be targeted through their least-secure links, like partners and contractors – helping reinforce the need for better visibility.