Closing the Security Gap

The IT threat landscape is constantly changing, yet many security departments can’t align their spending with the most dangerous threats—the ones that keep technology and security managers awake at night. Why is that?

To find the answer, Baseline commissioned Ziff Davis Enterprise Research to survey the security community. The 2008 Security Survey revealed that most security gurus are not spending their budgets on the risks that most concern them. (See charts on the following pages.)

We examined the survey results and consulted with experts to find out why—after all this time, money and effort—security teams are still struggling to keep up with today’s biggest risks. The overwhelming evidence points to the fact that even though many are aware of these threats, they’re still clinging to yesterday’s security products.

For at least two years now, security experts have been going on ad nauseam about the “de-perimeterization” of the enterprise network. “A number of years ago, we let the IT guys build the firewall and worry about the security of the network,” says Eddie Zeitler, executive director of (ISC)2, the security education organization responsible for CISSP accreditations. “Now, because the perimeter is so open, the first thing we talk about is the data and how to protect it.”

IT has been helping the business make connections with partners via portals and Web applications, but it has been punching holes in the network in the process. Insecure legacy systems that weren’t made to be online are now fully connected, giving more individuals than ever access to critical data. On top of that, users have been increasingly utilizing mobile devices, transporting data outside company walls. All this contributes to heightened threats that can’t be addressed by traditional signature-based anti-virus software and old-guard firewalls.

*View the full research that was the basis for this article.

“The whole perception about security is changing, as managers realize that they are letting more people come into their organization and onto their network to access their systems,” says Deven Bhatt, director of corporate security for Airlines Reporting Corp. (ARC). “They are partnering with more and more people and are connected with everyone. And because of that, they must have information-centric security.”

Bhatt is right: There is a growing awareness of a new generation of risks. In our survey, we asked security insiders what the two greatest internal threats to security are. Thirty-three percent said internal user ignorance of privacy regulations, and 21 percent said internal user theft of data.

They were also concerned about the loss and theft of tech devices. Thirty-one percent put theft of laptops and mobile devices in their top list of worries, and 17 percent added theft and loss of portable media.