Who is responsible for database security?

A culture of complacency hampers information security efforts, and as a result of lax practices and oversight, is leaving sensitive corporate data vulnerable to tampering and theft.

A new survey of database administrators and managers reveals that these professionals often are working in the dark when it comes to overall information security, lacking effective organizational support and tools to better identify and prevent potential problems.

Key highlights:

• While few organizations are cutting back on data security spending, there is great uncertainty as to the depth of organizational support. Database managers and professionals —the group most likely to be charged with data security—are largely unaware of the scope of budget support, suggesting a critical disconnect between corporate management and technology teams about data security priorities.
• One in five respondents fear that their organizations will experience a major data breach over the coming months, but few are aware of the potential costs to their organizations. Among those respondents that are aware of where data security breaches have occurred, they cite a pattern of inside abuse and errors.
• While there is a considerable amount of personally identifiable information present at respondents’ sites, many respondents report there are few controls to protect the data. In many instances, multiple copies of this data—including live production data—is frequently sent offsite.
• These days, data security is far more than just a technical issue. A majority of respondents say their organizations are affected by government and state mandates that require more judicious data management practices. However, respondents report that they don’t have or aren’t aware if security audits are in place to meet more rigorous standards.
• There is little monitoring for security issues going on, and few respondents report they are adopting security patches as they become available.

The Application Security Inc. survey was conducted among 761 members of PASS, the Professional Association for SQL Server, in September 2010.

Respondents to the survey have a variety of job roles and represent a wide range of company types and sizes. The largest segment of respondents has the title of database administrator, followed by IT managers and developers. About one-quarter come from larger organizations with more than 5,000 employees, and another one-quarter from smaller companies with fewer than 100 employees.