Security pros are are getting more time to check IT projects that are related to payments or personal information as corporate management increasingly favors security over a fast time to market, according to new Trustwave-commissioned research on corporate pressure on technology staffs.
Chicago-based Trustwave reports 53% of respondents feel more pressure to secure their environments in 2016 than they did in 2015. In last year's report, 63% said that pressure was higher in 2015 than in 2014.
In addition, security professionals report security threats from inside of the organization are equally as dangerous as those from external cyberattacks, according to Trustwave. In putting together its fourth annual report, Trustwave commissioned a third party research firm to survey 1,600 full time IT pros. They were security decision makers or influencers, with 600 of those in the U.S. and 200 each from Canada, UK, Australia, Singapore and Japan. The organizations employed a mean of 4,267 people.
"These are good trends," said Chris Schueler, senior vice president of managed security services at Trustwave. "It shows that organizations are starting to get it."
Trustwave notes a shift toward self-directed pressure for IT staff. About 46% of respondents in the 2017 report said the most pressure regarding security was coming from the company's board of directors or corporate executives, compared to 59% in the 2016 report. Twenty-four percent said the pressure was mostly from themselves as key security employees, illustrating more individual accountability in 2016, compared to only 11% who felt that way in 2015.
Those who said they were pressured to roll out a project at least once or twice despite concerns about security issues fell to 50%, from 60% the previous year, while those who said it never happened rose to 35% from 23% in the 2016 report.
Trustwave remains a strong advocate of corporate boards taking cybersecurity seriously and making it a regular topic at board meetings, but those boards need to let their top security pros drive the process daily, Schueler said. "What boards have done is put people in place that have taken on that personal accountability, thus shifting more ownership of the security program down to the right people," he added.
The trend toward fewer IT projects being "rushed through" despite security concerns also speaks to "personal responsibility aspect as sort of a theme" of this year's research, Schueler added. "These IT professionals are taking on more responsibility, slowing down the roll out of projects and making sure these security checks are done on time."
At first glance, the statistic showing 35% of respondents saying they do not believe their organization is safe from security threats might seem as if many are not confident about company safeguards for customer data, but Schueler said it actually is another good trend that slowly ends the "head in the sand" syndrome.
"This was another 10% increase in professionals saying that, but it's in what we call the 'reality check' area," Schueler added. "This is indicative of the realization of the risk they are facing and maybe an acknowledgement that there are not enough resources or people with the right skills and technology to battle advanced threats."
Despite some good trends, pressure on security staff remains significant. More respondents, at 29% this year compared to 24% last year, view advanced security threats as the main cause of pressure. The lack of security skills and expertise on staff was a key concern for 15% compared to only 5% last year. Lack of a budget and lack of time concerns went up slightly, remaining as overall problem areas.
Fifty-one percent of respondents viewed external threats as a greater concern than internal security threats, of which 49% cited as a top problem.
The internal threats cited were numerous — weak passwords; unauthorized file transfers via e-mail or cloud storage; access privileges; unauthorized installation of software; lack of security updates or timely patching; and a general lack of security training.
"Getting the right security patches on devices is a top pressure concern," Schueler said. "But in some of our breach investigations we have seen companies that had the right patches, and a proper security program, but the attackers still got in."
Many times, a security problem occurs in "the connection between the keyboard and the brain of the user," Schueler said. "A pop-up comes on the screen that they shouldn't click, and it results in a targeted attack that lets malware into the system."
However, another positive trend unfolding is that 43% of respondents said they were partnering with managed security service providers to help compensate for a lack of skills or tools on staff. The number is up 4% from the previous year.
"Many more are saying that in order to reduce our pressure and reduce our risk, we should turn to someone who has the ability and skills to do this," Schueler said.