CISO's Fear Internal Data Threat
With all the focus that's been placed on external hacking and malware threats, most CISOs are actually more concerned with insider attacks when it comes to defending their organizations against potential data theft, according to a recent survey.
Unsurprising in the sense that privileged insiders are those who know exactly where an organization's electronic crown jewels reside, and where their defenses may be weakest, it still seems impressive that an overwhelming 80 percent of the IT security executives interviewed by researchers at MIS Training Institute said that they were focused primarily on addressing internal risks.
At the same time, 80 percent of those executives interviewed said that they are not placing emphasis on attacks driven by nation-backed hacking campaigns, despite all the headlines that have been dedicated to such attacks.
MIS was hired to conduct its survey of roughly 60 C-level security executives by data filtering specialists NetWitness. The researchers did so at a CISO conference in Portugal, but said that the executives represented 20 individual nations around the globe.
Data loss remains the leading area of concern for almost all security leaders, with 97 percent ranking it first among those surveyed for the report.
And for all the complicated malware and hacking attacks looming on the horizon, only some 18 percent of those interviewed said that external threats cause them the greatest unrest.
Other recent reports, namely Gartner's, have estimated that security software spend will continue to rise despite the struggling economy. However, at least ten percent of the C-levels surveyed for the report said that they won't have anything to spend on new defenses over the next year.
In terms of those who are spending, 26 percent cited regulatory compliance and risk management initiatives as primary drivers of their planned investments over the next twelve months.
While data security remains the overriding trend, at least another 25 percent of those interviewed admitted that they don't feel comfortable with the level of electronic data prevention protection that they currently have in place.
"Some of the results were not that surprising, for example, data breaches and insider threats continue to be historical security concerns for CISOs," Sara Hook from MIS Training Institute said in a report summary. "What is really alarming, however, is the misperception that traditional security approaches alone can protect against information leaks, and that some CISOs were not sure what they need for data protection or were not planning to focus any money in that area this year."
The biggest contributing factor to that problem is likely that many undecided leaders still haven't found a manner of creating controls that can properly address demand for data flexibility, in addition to maximum protection.
But if the biggest issue with stopping data theft is indeed finding a way to prevent trusted insiders from abusing their privileges, there's a good bet that no product is going to be able to affect serious change with the problem any time soon.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.