Serious gaps remain between cyber concerns, investments
New survey finds agencies and businesses are adjusting slowly to the realities of cloud and mobile.
The idea that mobile and cloud are forcing changes in public and private IT security is not new, but agencies and businesses still may not be adequately prepared for the accompanying threats, according to a new study. The introduction of new technologies into the workplace opens doors to innovation and productivity, but it also introduces new vulnerabilities. Addressing those dangers requires a forward-looking security stance that incorporates a range of measures, prioritizing what is most critical and accounting for evolving trends and developments.
“In an increasingly digital, interconnected world, cybersecurity affects more organizations on more levels than ever before,” CompTIA’s tenth annual Information Security Trends report, released this month, states. Organizations are faced with ever evolving threats and at the same time, organizations must balance the need to allow workers the freedom to leverage the most powerful aspects of technology, such as mobility, information sharing and collaboration.”
Of the more than 500 organizations, largely private sector, surveyed by CompTIA, it seems most are taking note. The majority -- 57 percent -- said their organizations have implemented at least a moderate amount of change in their security approach over the past two years, with another 10 percent reporting a drastic amount of change.
More than half said the primary driver for change has been shifts in IT operations, including moving to the cloud and incorporating mobility. Security breaches at other organizations and internal breaches also were among top reasons for making changes to security strategy.
But are the changes enough? Participants in the study cited Internet-based applications, mobility and social networking as top concerns; however, they continue to invest most heavily in more conventional areas of IT.
“A main theme we’re seeing is that the security changes are a response to the different ways companies are using technology and the different tools and systems available to them,” said Seth Robinson, director of technology analysis at CompTIA.
But despite those rapid changes, security is not necessarily seeing commensurate upgrades, and Robinson highlighted the disparity between top concerns and top investments.
“It comes from traditional mindset -- they’re still thinking about a secure perimeter where confidential corporate information is stored inside, with the primary concern being someone coming in and stealing it,” Robinson said. “That’s still a concern, but now, with mobile and cloud, that notion of a secure perimeter is eroding rapidly. They have to take a different approach to securing data and against different threats that may present security risks.”
Robinson pointed out that although federal agencies were in the minority and were not singled out in the study, the themes are similar within the government IT security landscape as well, although at a slower pace than in industry.
“We’ve found that government agencies tend to be a little more conservative with their approach. With something like cloud, agencies are more cautious in its use because they have security and compliance concerns. And yet with that caution they still try to use the technology because it has such great benefits,” he said. “Even though some government agencies are not using mobile or cloud in same way a private organization would, they still try to some degree, and to that degree they need to consider the pros and cons in enabling employees versus risks that could occur.”
Whether public or private, that risk analysis is something organizations need to be implementing more of, Robinson said, adding that adequate -- and ongoing -- staff security training is critical as well.
“Risk analysis is becoming a very important part of security -- a lot of companies are finding they can’t just say, ‘Let’s secure everything as securely as possible,’” he said. “Another priority is realizing... that you can’t just assign security to the IT department anymore, because technology is getting used more and more throughout the organization. You have to expand your notion of your center of expertise.”