Senior Execs Have 'Serious Disconnect' on State of Data Center Security

Senior managers are often in the dark about the security measures in place in their data centers, while data center managers are often falling short in enforcing existing security policy requirements.

Senior corporate executives are largely unaware of how secure their data centers are, according to a recent report.

Only 22 percent of data center managers surveyed in a report felt senior management is aware of the company's security preparedness, according to a data center study from Gabriel Consulting released Oct. 3. There is a "serious disconnect" between what managers think about the security measures in place and what is actually implemented, the survey found.

"It is astounding that almost two-thirds of our respondents say that their management is in the dark about their true security status," said Dan Olds, principal analyst at Gabriel Consulting Group.

Management "needs to seek out the truth," and data center managers need to be "frank and honest" when discussing strengths and weaknesses of their security mechanisms, Olds said, noting that it is better to discuss potential issues before a security breach. The survey shows that management is "ripe to be blindsided" in the event of a security breach, according to Olds.

The results of the study are strikingly similar to the conclusions reached by PwC in its annual Global Information Security Survey, released mid-September. In the PwC report, 43 percent of those surveyed believe their organizations qualify as "leaders" in how they'd implemented security. In actuality, less than 5 percent of the organizations actually qualify as "leaders."

Most of the executives in the study have a "false sense of security," said Mark Lobel, a principal in the advisory services division of PwC.

Management often views data center security as an expense item that doesn't provide a financial return, said Gabriel Consulting's Olds. "Security is only an issue to management where there is a problem-otherwise, it's still a 'why are we spending all this money' question in budget meetings," a respondent told Olds.

In the most recent study, more than 40 percent of survey participants feel their organization is not keeping up with the latest threats, Gabriel Consulting found. Even more disconcerting, 40 percent said that their organization's day-to-day security does not meet the standards set by official policies that are in place. Nearly half of the information managers said they are "constantly" finding security holes within the data center.

Organizations with centralized security did not fare better than others, the study found. Just centralizing security responsibilities and authority isn't enough, according to Olds. A "real effort" to implement strong "defense in depth" security to defend against inside and outside threats, but flexible enough to allow users to do their jobs is required, Olds said.

The report also found that organizations used as many as seven security vendors to secure the data center. More vendors introduce complexity as the products all have different tools and consoles, but still need to be configured to work together. Olds said he expects enterprises to reduce the number of vendors they work with over time, as they invest in more integrated products that solve multiple problems.

There were other red flags in the report. Despite the fact that half of the respondents in the study believe that virtualization and private cloud require unique security measures, most respondents reported using the same tools to secure both physical and virtual infrastructure. Approximately 70 percent of respondents were skeptical of public cloud security, the survey found.

The 2011 Data Center Security Survey focused on security issues faced by 147 enterprise data managers.