Organizational Complexity is a Security Risk Factor

Ponemon Institute report sponsored by Citrix, reveals key challenges facing IT professionals and the need for a new IT security framework.

Complexity Security Risk

When it comes to keeping organizations safe and secure from cyberthreats, a Ponemon Institute study, sponsored by Citrix, found that complexity is a leading risk factor.

The report titled, 'The Need for a New IT Security Architecture: Global Study' surveyed 4,268 IT and security professionals around the world. A key theme of the report is that new approaches to IT management are needed to help provide security, as current approaches are not sufficient.

Among the big challenges that the study reveals is the relationship of IT complexity to security.

"What surprised me most was that 83 percent of respondents said their organization is at risk for security because of the complexity of business and IT operations and that 74 percent of businesses say a new IT security framework is needed to improve security and reduce risk," Stan Black, Chief Security Officer at Citrix told eWEEK.

The challenge of complexity comes in many different forms. The emerging internet of things (IoT) era brings with it additional security challenges that 75 percent of surveyed organizations said they were not fully prepared to handle. In addition to complexity, 78 percent of respondents noted that the growth of data assets is a leading risk factor. Funding is also a risk factor with 67 percent reporting that lack of funding to support cyber defense initiatives is an issue.

The report also identifies multiple human risk factors for IT security. 81 percent of respondents identified insufficient security staff knowledge and credentials as a key human factor risk trend. Additionally the study found that employees are complacent about security (74 percent) and generally lack awareness of security practices (72 percent). Adding further to the list of human risks, 71 percent of respondents noted that a key risk trend is the inability to control employees' devices and apps.

Black commented that organizations literally can't afford to address security challenges point by point. In his view, the larger issues like complexity need to be addressed to solve the bigger problems.

There are a few things that organizations can do to mitigate risk, according to Black. He suggests that organizations have up-to-date logging and incident response plans. Additionally it's important for IT security professionals to know what's going on in their organizations.

"Advanced monitoring tools give you full visibility into your IT infrastructure with the ability to detect threats, misconfigurations and performance issues, so you can respond fast and avoid user interruption," Black said. "These also help your business remain compliant with regulations and reduce the scope of security and compliance audits."

Black also recommends that organizations ask their vendors the right questions. When looking at cloud, virtualization, networking, Enterprise File Sync and Share(EFSS) or Enterprise Mobility Management (EMM) providers, questions that should be asked include where the data is stored, who gets access and what kinds of data retention policies are in place.

Looking forward, Black expects that on a positive note a year from now many cloud security issues will likely be resolved.

"Businesses are changing the way they look at and adopt cloud computing and they're asking more questions about the management and lifecycle of data, where it's stored and who has access to it," Black said. "I think we'll also see changes in compliance regulations and identity and access management."

"The world is getting a lot more strict about securing data and applications and that's a good thing," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.