In advance of the most important security conference of the year — RSA Conference 2016 in San Francisco — two of the world’s principal data center technology providers are offering evidence that organizations are growing less and less sure that their security operations are paying off.
Both Cisco and Hewlett Packard Enterprise released annual security reports yesterday, revealing the responses from surveys conducted last fall from thousands of security professionals worldwide. Each tells a somewhat interesting story from one perspective, but when both stories are told in stereo, the big picture takes on some surprising dimensions.
If you accept both the Cisco 2016 Annual Security Report (registration required) and the HPE 2016 State of Security Operations Report (registration required) with equal weight, here’s what you learn: As companies’ security policies mature, their InfoSec departments become separate from their IT departments.
Observing the need to give the InfoSec department a degree of expertise that’s on a par with the IT department, more InfoSec groups outsource some — but not all — of their functions to outside consultants. As a result, their ability to mitigate both new and ongoing threats actually does improve.
But that improvement comes at a cost: When risk levels subside, so do the priorities of InfoSec departments in the eyes of operations and budget managers. Funding for these departments gets turned down, and professionals in those departments are tasked with doing more with fewer resources.
The result: their confidence levels drop, as fewer InfoSec professionals this year believe they’re accomplishing their business objectives than last year... even if they actually are.
Lack of Awareness
Here’s where it all starts: Nearly two-thirds of InfoSec leaders polled by Cisco — some 65 percent — believe their organizations qualify the state of their IT assets as “threatened.” When asked what they’re threatened by, more than half of this two-thirds subset (54 percent) count downloads of malicious software as one source of these threats, more than any other choice.
Still, some 39 percent of Cisco’s respondents count “lack of employee awareness” as a threat source. A belief that companies’ policies are leaving them exposed and vulnerable, affects two organizations in five.
The HPE report asks InfoSec professionals worldwide to assess the maturity of their corporate security policies. Based on their responses, organizations are ranked on a scale from 0 to 5, where each point on the scale represents a specific, discrete readiness state.
A score of 3, says HPE, actually represents the ideal state for most enterprises’ security policies, where “operations are well defined, subjectively evaluated, and flexible.” If an enterprise achieves a state of 3, that’s representative of the highest goals that an enterprise typically expresses for itself when it sets forth on the goal of achieving full resilience.
In HPE’s aggregate, North American InfoSec operations receive a score of 1.52. Central Europe receives a 1.53 by comparison, but the U.K. got a 1.26, while South America soared to 1.92.
HPE perceives a mature InfoSec organization as one with its own Security Operations Center (SOC), with its own full-time, 24/7 staff. While the SOC collaborates with IT, HPE would prefer it did not share personnel with IT.
The reason, HPE cites, is because the SOC needs a stable budget.
Aligning the SOC with the division of the organization responsible for compliance (GRC), states HPE, “can also allow for a more stable budget that is not constantly being repurposed for IT.
“The most mature operations report up through a security-, risk-, or legal-led organization, often to a chief information security officer (CISO), who reports to the CEO or to a chief risk or compliance officer,” the HPE report goes on to state. “SOCs that are organized within an IT operations organization may have high process maturity, but typically struggle with effective capability.”
Ironically, it’s when the SOC succeeds in its mission that it faces the most significant threat to this alignment. According to HPE, executives can burden the SOC with other administrative tasks, including IT-related ones, in order to reduce stress on other technical departments.
“SOCs frequently fail to define a succinct mission and scope,” says the HPE report. “This dilutes the organization’s perception of value due to misaligned expectations.”
According to the Cisco report, some 9 percent of respondents’ organizations completely separate their security budgets from their IT budgets, a gain of 3 percent over 2014. Still, more than half — 58 percent — perceive the InfoSec budget and the IT budget as one and the same document.
Cisco has a unique way of ascertaining the exposure to security threats caused by blending IT and InfoSec into one. It conducted a separate test of 115,000 of its own network devices in active use worldwide, and discovered a full 106,000 were using software with known vulnerabilities documented by Cisco, and disclosed to its customers.
The percentage of security professionals who expressed confidence to Cisco that their organizations were implementing the proper security technologies and policies, declined by 5 points over 2014, from 64 percent to 59 percent. Fewer than half (45 percent) told Cisco their InfoSec teams were capable of mitigating a network compromise before it caused damage to IT assets.
But nearly all respondents to Cisco’s survey (97 percent) said that their organizations are responding to these threats right now, through increased and improved training and awareness programs.
It isn’t as if they’re afraid no one is paying attention to them. It’s that they’re worried that their efforts won’t get the funding they need.
Cisco uses a similar maturity model for organizations, using a scale from 1 – 5, in the reverse order where 1 represents the optimum state of their security systems, processes, and policies. By far, across the board, “budget constraints” were ranked as the most significant obstacle to security evolution. Respondents in all five Cisco tiers cited them, with some 48 percent those in tier 4 (with security methods that are only responsive, not repeatable) blaming budgets.
Tellingly, “Compatibility issues with legacy systems” was the second highest-ranked obstacle on Cisco’s list, for organizations in tiers 1, 2, 3, and 4.
“Enterprises should continue to raise their awareness of their security preparedness,” states Cisco, “and security professionals must champion the growth of budgetary outlays to support technology and personnel. In addition, confidence will rise when security practitioners deploy tools that can not only detect threats, but also contain their impact and boost understanding of ways to prevent future attacks.”
But it’s a vicious cycle, at least for now: When InfoSec professionals are given the tools, training, resources, and the budgets they need to do their jobs, and they succeed, the perceived reduction to their organizations’ threat levels can create the false perception that their jobs are less critical now, and there are other problems they could be solving.
It’s a new, and yet fundamental, threat to the security of organizations: the threat of their own success.
Title image, “Under Attack" by Les Chatfield, licensed under Creative Commons 2.0.