IT Security Professionals Lack Focus on Strategic Security Priorities

Security professionals are reluctant to adopt a more comprehensive endpoint data security approach for fear the gains in security may be outweighed.

IT security and CSOs

Information security professionals overwhelmingly covet a single, comprehensive endpoint security solution; however, endpoint security deployment is tactical and driven more by firefighting than strategy, according to a report on endpoint security conducted by Enterprise Strategy Group (ESG) on behalf of Digital Guardian.

Despite recognition of the problem—that endpoints are still at risk and data breaches are increasingly common—more than one-third of respondents to the survey aren't addressing the problem strategically because members of the security staff are spending too much time attending to high-priority issues.

More than half of the survey respondents increased budgets for endpoint security, but much of the investment went to antivirus (AV) protections, and nearly one-third of respondents describe a complex enterprise landscape where they deploy three or more unique AV products.

"To truly secure the data, you must be at the endpoint, you must see every data and process event, and you must have controls set up. This is hard, but it can be done," Ken Levine, CEO of Digital Guardian, told eWEEK. "Given that data is the target from threats originating both inside and outside the organization, companies must recognize this and make data protection a priority for 2015. The good news is that the winds are changing—we're hearing from more and more customers that are seeing the need as billions of dollars in perimeter defenses have not been able to stop data breaches."

Compounding this complexity is the fact that more than half of those surveyed shift between AV vendors frequently, impacting end-user performance and draining IT resources.

When asked what type of endpoint security technology approaches would be most attractive, more than half of the respondents said a comprehensive endpoint security solution from a single vendor.

"We strongly believe that protecting data at the endpoint should top the security professionals' list of 2015 priorities. While traditional DLP [data loss prevention] solutions have not necessarily been implemented beyond compliance, a proper data protection strategy is still the single best way to go," Levine said. "Even the recent hacking incident at Sony Studios makes it clear—data is the target and adding protections at the data level is the only way to ensure protection."

Yet the report indicated senior security professionals are reluctant to adopt a more comprehensive endpoint data security approach for fear the gains in security may be outweighed by an impact on end-user productivity, a significant and common enterprise concern.

"The research shows that the biggest stumbling block is even getting up to the start line," Levine said. "Companies already have antivirus protections in place, so when faced with questions about endpoint security it is easier to shuffle around AV vendors to help address problems, rather than taking a step back and developing a strategy. IT professionals are also very sensitive to negatively impacting end-user productivity and disrupting the status quo."