Some key paradoxes the CXO study found include:
- Application vulnerabilities were the top-rated threat to the security of enterprise data (72 percent of executives rated it as a chief concern), yet many executives also reported that the demands of their organizations make it difficult to develop and implement secure application development processes.
- Similarly, 70 percent of executives rated mobile devices as a top threat to their organizations, but many reported that they had not successfully implemented mobile security policies and programmes.
- The vast majority of security executives (77 percent in government and 63 percent in private industry) believe they have too few people on their IT security staff, yet 61 percent cited business conditions as an obstacle preventing them from hiring more personnel.
- Despite the concerns they registered over a shortage of trained personnel, more security executives plan to increase their spending on technology in the next year (39 percent) than on staffing (35 percent).
“Senior security executives, it appears, are getting sidetracked from the key security issues at hand as they balance the pressures of an evolving threat landscape and the business,” said John Colley, Managing Director, (ISC)2 EMEA. “They recognize application vulnerability is the number one threat and yet they are unable to devote their time, attention and obvious leadership in the field to help correct the situation. It is imperative that they keep a strategic perspective on security, looking at the issues holistically in order to develop effective solutions to deal with problems, the nature of which is constantly changing.”
The report data indicates that top security executives are faced with a myriad of critical, yet sometimes paradoxical, security choices. For example, CXOs said that two of their chief cyber security concerns are potential damage to the organization’s reputation (83 percent) and IT service downtime (74 percent). Yet when asked how they spend their time, the top two answers were governance, risk and compliance (GRC, 74 percent), and security management (74 percent), which indicates that administrative tasks and priorities dominate their daily agendas.
“Security is a dilemma for information security executives,” stated Michael Suby, Stratecast VP of Research at Frost & Sullivan and author of the report. “Data is proliferating and becoming more fluid, yet the need to protect it is greater than ever. Similarly, there is the challenge of today’s sophisticated attackers, who are becoming increasingly skilled at hiding their exploits. The most significant threat to an organization is what it does not know or cannot detect.”
“It is clear that chief security executives are faced with an array of challenges that cannot be overcome by any single methodology or set of solutions,” commented William Stewart, senior vice president at Booz Allen Hamilton. “One of the biggest obstacles security departments face is the dynamic interplay between an organization’s business and IT priorities and the rapidly changing nature of the threat environment. To overcome this challenge, CXOs need to focus on prioritizing critical assets, closely collaborating with the other organizational leadership and conducting thoughtful and forward-looking threat analysis.”