For several years, one of the primary themes coming out of CompTIA’s security research was the importance that companies placed on being secure. Nearly every company we surveyed said that security was a moderately higher or significantly higher priority today than it was two years ago, and there was an expectation that security would continue to grow as a priority in the years to come.
There were some problems deeper in the data though. Apparently, saying security is a high priority isn’t the same as taking the right steps. Companies continued to report data breaches—both in our surveys and in major headlines. There was a low level of concern for emerging topics, with most focus still placed on traditional attacks like malware. And companies still viewed security as a technology problem, discounting corporate processes and end user education.
Recently, signs point to increased activity around cybersecurity. One of the best examples is the spike in security-related job postings. According to BLS data from January 2016, the number of job postings in the classification “Information Security Analysts” rose 48% between Q4 2014 and Q4 2015. Looking back to 2012, there has been a 175% increase in these types of postings. Businesses recognize that they have gaps in their strategy, and hiring is one of the steps they are taking to close these gaps.
CompTIA’s latest report, Practices of Security Professionals, examines the responsibilities and challenges of those IT pros who have been tasked with keeping their company safe. General technology decisions are becoming more collaborative across lines of business, but there are still some areas where IT holds primary responsibility, and security is one such area. InfoSec pros need to understand where the business is exposed and how to take corrective action.
To start, the security discussion will typically be framed by the technology a company is using. A change in IT operations was the most likely trigger for changing a security approach, which makes sense since cloud and mobility are driving new behaviors. However, only 51% of IT pros cited this as a reason for changing security, and there are clearly more than 51% of companies that have adopted cloud and mobility. Technology trends are opening doors for businesses, but they are also opening security loopholes.
In building a modern security approach, IT pros should consider three major shifts. First, the notion of a secure perimeter is fading as applications and data travel outside an organization’s walls. New tools such as DLP and IAM are getting huge pickup as companies focus on their portable assets. Second, there is a movement towards less prevention and more detection. Again, technology can help as IDS/IPS finds inevitable breaches and creates notifications. Finally, companies are moving from pure defense to an offensive strategy. Here, processes such as regular audits or compliance management combine with end user education to help companies prove they are following best practices.
Ultimately, the name of the game is lowering risk. One of the realities for digital organizations is that they will never be 100% secure. Changes in technology usage and attack vectors will always leave some area of exposure. The goal for security professionals is to determine the tools and activities that will reduce risk, define the potential costs and benefits, and execute on the strategy.