cioinsight.com
Home > RSS Feeds > Security
  • A review of recent headlines provides the latest reminder that organizations are under siege. Companies like ADP, LinkedIn and Yahoo—as well as federal agencies such the FBI and IRS—have reported substantial breaches this year, and the list is sure to get longer. One thing has changed, however: Today's attackers have developed a taste for ransomware and phishing, which have become favored weapons for accessing corporate information, employee data, intellectual property and other valuable content. Just how popular and effective ransomware and phishing have become is the subject of a recent report Osterman Research sponsored by several security vendors. Osterman surveyed 162 IT and IT security executives from companies that averaged 16,313 employees and 14,161 email users, and it found that phishing and ransomware are growing several hundred percent each quarter—a trend Osterman expects to continue for the next 18 to 24 months. But the situation is far from hopeless. "There are a variety of best practices that organizations should follow in order to minimize their potential for becoming victims," an Osterman researcher wrote in a recent blog post about the report. "Among these best practices are implementing security awareness training, deploying systems that can detect and eliminate phishing and ransomware attempts, searching for and remediating security vulnerabilities in corporate systems, maintaining good backups, and using good threat intelligence."

  • The need for speed is forcing many organizations to confront an inconvenient truth: While security is clearly critical to business, many enterprise leaders are still willing to cut corners and take risks. An October 2016 study conducted by Coleman Parks Research and CA Technologies, "The Security Imperative: Driving Business Growth in the App Economy," points out that too many companies are not following a best-practice approach to security and risk management. Although executives view security as critical to protecting the brand and even think of it as a competitive differentiator—with many execs using metrics to measure the impact of security on the business—there's often a willingness to compromise security in order to get applications to users faster. However, the report noted that speed and security aren't necessarily mutually exclusive concepts. By bringing security into the equation sooner and adopting best practices such as DevSecOps, it's possible to ratchet up both performance and protection. Here are some of the key findings from the survey of 1,170 global senior business and IT decision-makers.

  • In theory, a DevOps culture stressing communication between software developers and IT operations professionals can improve application security by enabling organizations to find and fix issues more frequently and earlier in the process. In practice, however, security often takes a back seat to speed and innovation during software development, especially with the growing emphasis on rapid application delivery. A recent study by Hewlett Packard Enterprise titled "Application Security and DevOps Report 2016" reveals that few DevOps programs actually include security as part of the process. Only one in five of the 500 IT operations professionals, security leaders and developers surveyed said their organization conducts any application security testing during development. Even more alarming, almost as many aren't using any technologies to protect their applications. Most organizations adopting DevOps are relying on the technologies downstream, such as pre-production penetration testing and network security, to protect apps. The vast majority of respondents said integrating application security into the process has actually become more difficult since their organization deployed DevOps. The study cites a widespread lack of security awareness and training for developers, as well as a shortage of security talent in the enterprises included in the study. Unless organizations address the disconnect between developers and security teams, problems could worsen in DevOps environments, the study authors advise. They recommend that security be embedded throughout every stage of the development process, with executive support and metrics to hold teams accountable, and that security tools be integrated into the development ecosystem.

  • With cyber-breaches and cyber-security in the news on a daily basis—and demand for security experts on the rise—one would think that the field would deliver a robust career path. However, according to an October 2016 report from the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG), "The State of Cyber-Security Professional Careers," this simply isn't the case. The two organizations polled 437 information security professionals located in all regions of the world and found that industry rhetoric doesn't necessarily match reality. Many cyber-security pros aren't sure how to proceed with their career path; many aren't receiving the training they desire or need; relationships between business, IT and security teams are lacking; and too many organizations accept "good enough" rather than very good security. Moreover, many organizations are using a broken model. Among other things, many security executives are not getting enough face time in the boardroom—a significant factor that contributes to turnover. And organizations are struggling with internal relationships among the cyber-security, line of business and IT teams. Here's a look at some of the key findings from the report, along with how these factors are affecting security careers.

  • Enterprises are flocking to the cloud for the efficiency, cost savings, flexibility and scalability this technology offers. In fact, 40 percent of applications, on average, are deployed in the cloud, and that is expected to grow by an additional 30 percent in the next 12 months. "The 2016 Enterprise Cloud Backup Study," conducted by research firm Vanson Bourne for CTERA Networks, highlights this mass migration to the cloud and explores the challenges involved. Based on a survey of 400 IT decision-makers and specialists, the study finds that most organizations use a hybrid cloud approach, but don't treat cloud and on-premise services equally when it comes to backup. Almost two-thirds devote more attention to backing up in-house data and apps, relying on service providers to handle cloud backup. Organizations should be wary about counting on a third party for their only backups, the study's authors advise. Some 28 percent of those surveyed do handle backups on their own, but the legacy tools they're using aren't designed for cloud-based deployments, which can lead to labor-intensive management and higher costs. There's a clear disconnect between those findings and the fact that more than one in three respondents believe that the loss of data in the cloud would be more catastrophic than a crash in their on-premise data center—and 14 percent claim it would cost them their jobs. A safer solution, according to the report, is a hybrid backup architecture in which on-premise backup appliances replicate data to the cloud for a two-tiered data protection platform. A hybrid backup approach with versioning controls offers a solution to the growing problem of malware, particularly ransomware. Overall, the research spotlights the need to protect critical cloud-based applications.

  • The city is expanding its security platform, which provides constant, in-depth visibility into networks and data flow and greatly reduces its threat exposure.