Disagreement over security objectives

According to findings from a new global Ponemon study: “2015 Global IT Security Spending & Investments” IT security and IT leaders and their staff members do not agree on security objectives. The study, commissioned by information security leader Dell SecureWorks, surveyed 1,825 IT security and IT leaders and their staff. The participants were based in 42 countries in the following regions: North America, Europe, Middle East, Africa, Asia Pacific, Japan and Latin America. The study’s objective was to determine the key influencers that are driving security budgets and technology purchases.

  • Thursday, 11th June 2015 Posted 9 years ago in by Phil Alsop

One of the key findings from the study was that more than 50 percent of the respondents surveyed stated that their organisation’s board of directors and C-Level executives are frequently not briefed, nor are they given the necessary information to make informed budgeting decisions regarding security priorities and the investments in technology and personnel required.

“Organisations cannot expect to successfully combat today’s increasing cyber threats If important stakeholders, such as the C-level executives and board members, are not adequately informed about their organisation’s security strategy, challenges and goals,” said Kevin Hanes, executive director of Security and Risk Consulting for Dell SecureWorks.

Another alarming finding was that 58 percent of the study’s respondents said they did not think or were unsure if their organisation possessed sufficient resources to achieve compliance with security standards and laws.

“What is especially worrying about this response is that not only does non-compliance put organisations at risk for legal action and fines, but even organisations which have achieved compliance, can many times still be compromised,” said Hanes. ”This is why Dell SecureWorks always advises its clients to build and maintain a robust, layered security program, so as to ensure a strong security stance and meet its compliance requirements.”

An additional finding of note is that the security views and priorities held by the Security and IT leaders were in stark contrast to their staff members’ views and priorities. Here are some of the responses:

· Security and IT leaders believe it is most important to pursue improvement in the organisation’s security posture (72 percent of respondents), while security and IT staff members see the minimisation of downtime as the primary security objective (83 percent of staff respondents).

· Security and IT leaders view third-party mistakes, including those made by cloud providers, as a more serious cyber threat (49 percent of leader respondents) than negligent insiders (37 percent of leader respondents), while security and IT staff members consider insecure Web applications and negligent insiders as more serious threats (57 and 56 percent of staff respondents, respectively).

“The differing security views and priorities between the Security and IT leaders and their staff members signals a serious misalignment between the two groups,” said Hanes. “Every member of an organisation’s Security IT department, whether a leader or a staff employee, should be working toward the same security goals. If the company wants to establish a strong security position, this misalignment must be addressed.”

“I found the responses in our ‘2015 Global Study on IT Security Spending & Investments’ surprising and enlightening,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. “I hope IT Security and IT leaders and their staff, as well as C-level executives and board of directors, read this report and reevaluate their security programs to ensure that there is a thorough understanding and consensus among them as to their organisation’s security challenges and objectives.”