Security Policies Hampered by Limited Visibility, Manual Processes

Almost 20 percent of respondents raised the issue of poor communication among key stakeholders across development, security and operations groups.

Understanding risk from a business perspective is a top network security concern for organizations, according to a survey of 142 information security and network operations professionals, application owners and compliance officers conducted by network security specialist AlgoSec during the RSA Conference in February.

Nearly two-thirds of respondents reported that manual processes, limited visibility into security policies and poor change management practices posed the greatest challenge when managing network security devices.

Almost 20 percent of respondents raised the issue of poor communication among key stakeholders across development, security and operations groups, an 80 percent increase from last year.

The inevitable mistakes that arise in this environment create consequences for a growing number of organizations, with more than 80 percent experiencing network or application outages as a result of out-of-process changes, up from just over half in 2012, the report found.

"Recent high-profile cyber-attacks have quickly elevated security discussions to the board level at many organizations. This requires a fundamental shift in how security professionals think and communicate," said Nimmy Reichenberg, vice president of marketing and strategy, AlgoSec. "The survey results underscore the need for security teams to understand business requirements to ensure agility as well as to understand the impact of vulnerabilities on the business for effective risk mitigation."

Last year, one in five organizations expected to move more than 40 percent of their business applications to the cloud, and this year more than 15 percent already use cloud hosting for the majority of their applications, the survey revealed.

While the advantages have three-quarters of organizations using cloud hosting to some degree, three out of five respondents said they still worry about ensuring application availability and security with off-site data centers.

In addition, nearly three-quarters of organizations rated accidental data leakage or malicious behavior by insiders as their No. 1 risk, up from less than two-thirds last year.

Half of respondents who outsource management of security controls or sensitive information were less than confident in their provider’s ability to provide protection.

Most organizations (64 percent) remain hampered by time-consuming manual processes, obscured security policies and poor change management practices.

Meanwhile, communication issues rose in importance this year, with 18 percent saying that aligning the development, security and operations groups was their No. 1 challenge, up from about 9 percent in 2012 and 2013.

Almost one in five organizations (18 percent) report that the details of ensuring business application connectivity posed the greatest challenge in network security management, a nearly 50 percent increase over the number in 2013.

Enabling that connectivity drove more than 40 percent of all firewall rule changes for the majority of organizations (56 percent) and accounted for more than 60 percent of rule changes for nearly two out of five (37 percent) organizations.