Identifying the security gaps in the enterprise - research

Despite increasing awareness of cyber-threats, most enterprise security leaders are still struggling to close gaps in their defences

Who's winning the data security arms race? Looking at the headlines, you'd have to be quite the optimist to believe that those doing the protecting are gaining ground from those doing the attacking. In fact most people would say it's going the other way, with attackers - be they bored teenagers, activists, criminal gangs, terrorists or even state actors - currently making the running in this global game of cat and mouse.

Of course, we could have said the same thing at any time during the past 20 years. The fact is, attack is innovative and opportunistic and defence is reactive. It's hard to defend against something you don't know exists and attackers are always looking for new zero-day vulnerabilities to exploit. Organisations are increasingly trying to take the initiative, to gain intelligence about threats, to be proactive. Indeed, last year when we asked respondents to our annual enterprise security survey where they want to be in three years' time "proactive" was the word that topped the aspirational list.

Sadly there is still quite a way to go if this aspiration is to be realised. This year we asked 300 IT leaders to pick words to describe where they are today: "proactive" languished in a distant seventh place.

"We try and keep up, but it's a constant race. We are never going to be ahead of the curve," admitted a head of technology in a local authority.

Even for the most proactive, there is always a time lag, or "patch gap", between recognising a problem and being able to effectively deal with it. This is just one part of the overall security gap. Other contributing factors are a skills gap, a knowledge gap, and even a generation gap. All of these combine to form one big security hole, through which attackers can shoot their poison arrows, often, seemingly, at will.

Us and them

One of the biggest gaps has always been that between the head of IT and the board members who sign off IT projects. However, there is evidence that this particular chasm may be narrowing. As figure 1 shows, respondents were evenly split between those saying the board is now more involved in security strategy and those who said involvement is about the same. Only 13 per cent said the board is less involved now.

The main reasons given for this change were, in order: "better awareness of vulnerabilities and risk"; "increased concern about harm to our brand"; and "highly publicised breaches/media stories".

It has been a consistent finding of Computing's research that people dislike "scare tactics" from vendors who emphasise the dire consequences of a data security breach. However, real-life examples are increasingly being picked up by mainstream media and they are clearly influencing individuals and businesses as a whole when it comes to strategy.

"There is more stuff in the papers now," said a transformation consultant in a utilities company. "It's what you call MBM - management by media. They won't listen to me telling them what they should be doing, but if they read it in the Metro going into work in the morning... Cyber-security is now a newsworthy subject."

In the shadows

If the gap between IT and the board is narrowing, that between IT and end users is widening.

This gap, of course, has been a source of immense frustration to security professionals since civilians were first let loose on the internet. However, the arrival of cloud computing and mobility has made the security professional's job that much harder, particularly as users may find that the most efficient way of doing their work is via shadow IT - i.e. solutions they download themselves, often for free. But simply banning this practice, even where possible, is rarely feasible, as it may be seen as an unjustifiably bureaucratic burden on people who are just trying to do their job.

Added to shadow IT is the increased sophistication of attackers, carefully spear-phishing their victims by use of email messaging and spoof websites that can be very hard to spot - even for a seasoned IT professional who's seen it all before.

"Some of the phishing attempts are so sophisticated now that it's even hard for us to determine what's real and what's not. They are really good and you have to look at minute differences, minute little tell-tale signs..." said an IT security manager in the legal profession.

"To this day, we still don't know how this was done... You are dealing with that level of sophistication and intellect..." sighed the head of technology at a local authority.

Indeed, phishing is the area that most people considered to be increasing in severity or frequency (figure 2). Just below that came malware, viruses and Trojans, followed by a newcomer: crypto-malware. This particularly vindictive threat was barely on the radar this time last year, an indication of how fast things change.

Only four per cent said that none of the items on this list is increasing in severity.

Fixing the humans

Ultimately, what lies behind all of these dangers is human frailty. Most threats do not spread without some human intervention to help them on their way.

"The human can be the vulnerability or the weakest link; the human can make a mistake; the human can misconfigure a device allowing a vulnerability. The biggest vulnerability will always be the human," said an IT security manager in the legal sector.

So if the humans are the problem, then we need to fix the humans. How do we do that?

Awareness raising and formal training topped the list, closely followed by the newer discipline of threat intelligence - i.e. being proactive in defence. Other popular tactics included sharing information with industry peers and attending events and seminars (figure 3).

Awareness and more formal training both sound like the proverbial "no brainer". However, the real-world practicalities of such exercises can sometimes be a different matter. It is also difficult to know whether or not the training has been effective.

"What's the test that you apply in security? Well, it's a real world test. It's whether the spear-phishing attack, or whatever it is, has been successful. That's when you know whether the education has worked," said a CIO in higher education.

There is a widespread acceptance that training needs to be little and often and that it needs to be engaging. "Deliver it in bite-sized chunks to keep the momentum going," advised the transformation consultant in utilities.

A degree of coercion is also necessary to ensure people don't duck out of the process, such as ensuring people watch a video by making them take a test afterwards.

It's worth mentioning another gap in this context: the generation gap. People of different ages learn in different ways. While older generations may prefer written text, younger ones will almost certainly respond better to interactive training or videos. It's important not to go for a one-size-fits-all approach.

The skills gap

And there is another important gap to consider: the skills gap. Many larger companies are now recruiting specialised security staff including chief information security officers (CISOs), giving IT security board-level prominence for the first time.

However such skills are in short supply. If skill equals education plus experience, it is easy to see why, in a fast changing landscape, suitably qualified individuals are a rarity - and an expensive one at that.

After salaries in the list of challenges (figure 4) came "finding someone with experience across different platforms", and the problem that "skills don't keep up with the emergence of new threats".

To fill this particular gap, many senior IT professionals, including those dedicated to security, spend a significant amount of time educating themselves about emerging risks. There are real-time feeds that can be subscribed to, online forums to visit, seminars to attend and vendors to consult to ensure the organisation's defences are as up to date as they can be. We found the self-learning ethos to be particularly strong among professionals tasked with looking after security.

"You have to be pro-active," said our IT security manager in legal. "There is a responsibility on me to ensure that I keep myself up to date - I have a number of certifications that actually mandate that. I have to dedicate a certain number of hours to those annually."

However, it is not just the knowledge of threats and vulnerabilities in code and infrastructure which need to be addressed. An understanding of the business itself is also key, including participation in regular security risk assessments encompassing the business as a whole.

"Essentially it's just an interview with every senior manager throughout every single area of the business. We'll go and visit them every 18 months, we'll talk about data, we'll talk about processes, discuss weaknesses and vulnerabilities..." said a security governance manager, in Finance.

So we're back to the boardroom again. We've come full circle with our gap analysis.

• Read more results from our this research programme by downloading the Data Security and Risk Management Review 2015.

@_JohnLeonard