11 Data Issues That Keep IT Security Pros Up at Night

A new Ponemon study uncovers what’s really keeping IT security professionals up at night. Here are the key takeaways from the report.

According to the report, 62 percent of surveyed security professionals are concerned over their inability to have complete visibility into where their organization’s sensitive or confidential data resides.

The lack of confidence in knowing the location of sensitive data is compounded by the fact that more than half of security professionals struggle to understand the true risk to data contained in databases, emails and files.

The consequence of not knowing the location and risk of sensitive data is that security professionals are unable to protect their organizations from data breaches. More than one-third of respondents cite data breaches as the top IT security risk facing their organization. Employee/user negligence is reported to be the second-biggest risk, while noncompliance and malware/advanced persistent threats are considered the least risky.

More than half of survey respondents reported that their companies are using automated solutions to discover sensitive data and protect it from a potential breach. Sixty-four percent say their automated solution is developed in-house, rather than provided by a third-party vendor. That is a surprisingly high number—to eWEEK at least.

Although many organizations use automated solutions to gain visibility into user activity around sensitive data, nearly half of respondents admit they don’t actually know what is being tracked. Even among security professionals who do have this insight, there remains a discrepancy between what user activity is actually being tracked versus what should be tracked, particularly when it comes to privileged-user access, cross-border transfers, high-volume access and new proliferation of data.

Nearly three-quarters of respondents use data classification tools to improve data security. The most commonly used data classification tools are data monitoring (69 percent), followed by encryption or tokenization (61 percent) and data discovery (55 percent).

While there are a seemingly endless number of security and risk management vendor solutions in the market, about two-thirds of respondents report difficulties finding commercial solutions that help mitigate behavioral risks such as employee/user negligence or malicious insiders. As a result, IT security teams either go without these protections or are forced to build them in-house.

When asked to predict the process-focused security controls that will be most relevant during the next three to five years, more than half of respondents named security intelligence analytics to identify risk and threats. Threat feeds and intelligence sharing (45 percent), advanced authentication and identification solutions (40 percent) and user provisioning and identity management (37 percent) are also noted as becoming increasingly critical.

Security professionals expect that cloud-service brokers and cloud application gateways (40 percent) and user awareness training (39 percent) will be the most relevant target-focused security controls in the coming years. Respondents also cite information protection and control (such as data loss prevention, tracking, masking and encryption) and database firewall/activity monitoring.

Sixty-seven percent of respondents say that changes to their organization’s IT security programs are dictated by immediate threats and vulnerabilities. The second-most common driver of change is budget and resource constraints.

According to respondents, over the next three to five years, the industry trends that will have the biggest impact on decisions related to their organization’s security programs are the consumerization of IT/shadow IT, mobility and increased sophistication of attackers.