Executives, tactical staff offer varied views of IT security
Published December 10, 2014
By the numbers, the modern IT security executive fears nothing more than external threats that emanate from the technological wilds with no warning and no end.
IBM’s third annual Chief Information Security Officer (CISO) study, conducted by the IBM Center for Applied Insights, assesses the morale of the decision makers who have assumed, in a time of incessant digital hostility, the maddening role of technology protection.
The survey is based on responses from 138 in-depth interviews with the surveyed organizations’ most senior security leaders. The math is unsurprising. Sophisticated external threats were identified by 40 percent of security leaders as their top challenge.
The study aimed to reveal how organizations are currently protecting themselves against cyber attacks. From the data, it seems that the countermeasures of today’s IT department are both old and new. Seventy percent of security leaders believe they have mature, traditional technologies that focus on network intrusion prevention, advanced malware detection, and network vulnerability scanning.
However, nearly half (50 percent) agree that deploying new security technology is the top focus area for their organization, and they identified data leakage prevention, cloud security and mobile/device security as the top three areas in need of dramatic transformation.
Yet the concerns over IT security are as diverse as the companies that make up the global economy. Every business must adopt core policies—say, for governance and monitoring—yet the challenges of protecting data for retailers are different from business to business actors, and different again from industrial firms. Anywhere people use technology, the challenges are often different, but they all mesh into one big feeling of anxiety—from headaches over password management to fears of a million-dollar breach.
A recent survey of Global WebSphere Community (GWC) members reveals just how varied security concerns can be in modern IT departments. The open-ended responses together suggest several themes that repeat across different industries, themes like access management, identity management, governance, user education, and security analytics. Within those categories, though, arise dozens of tactical challenges and obstacles that trouble the technical-level pro every day, every shift.
As technology evolves, so do the options to confront an ever-changing range of external and internal threats. Companies must adapt to cloud security, whether deploying on public, private, or hybrid infrastructures. In the BYOD era, specific mobile-borne issues mean that the enterprise must prepare for problems related to the newest smartphone, wearable, or tablet concept. As technology grows, so do its vulnerabilities.
A read of the anonymous comments below, pulled straight from the GWC survey responses, will get you laughing, make you dizzy, and convince anyone—even a CEO—that protecting a company and its technology is a fulltime job.
Access
Requiring authentication for accessing environments especially in prod
Transferring passwords for certificates to requirements team and to vendors
Security enabling requiring authentication across various hosts for accessing specific apps or using specific calls
Authentication for being able to modify certain information in environments
Adaptive authentication for customers
User Education
The “non-tech savvy” education is a must
User education
Preventing stupid user tricks
Educating our doctors and nurses to make sure they at the very least know the basics of computers and computer security
A brain transplant for upper management
Development
Secure source code & code build
Coding flaws
Designing logging to meet conflicting requirements
Preventing stupid developer choices from going to productions
Integration
Supporting BYOD
Too many technologies
Too much money spent on training and no integrated framework to connect these technologies
External Threats/ Identity
Cyber attacks
Protecting Personally Identifiable Information (PII)
Complicated Service Contracts with Technology Partners
Effective defenses against viruses, malware, etc., that can be activated through a browser
Documentation of PII and SBI data elements, and compliance
Public cloud access and VPN
Logging requirements potentially conflicting with PII/SBI retention rules
Migration/ Legacy systems
Migrating WebSphere 5 applications
Unstable environments
Keeping a secure environment secure but not disable program development
Data
Need of test system availability anywhere, but only 1 system for a worldwide community is setup, so data clashes
Methods for securing passing of sensitive information even within a green zone (friendly internal network) and also methods of storing the information in same type of environment
Monitoring Confidential Information Flow
Sharing confidential information in unrestricted communities when trying to be inclusive