Cybersecurity

SPOTLIGHT ON SECURITY

Data Breaches Chip Away at IT Pros’ Confidence in Security

The daily barrage of data breach news appears to be eroding confidence in security solutions.

Fifty percent of IT pros aren’t confident about the ability of their security measures to protect their data, according to a survey released last week byBarkly.

The high percentage of IT pros with doubts about their security systems caught Barkly CTO Jack Danahy off-guard.

“Organizations are investing because they know they should be doing something for security, but their expectations are low,” he told TechNewsWorld.

“For me that was a surprise because in most areas of business, people know what they’re paying for, so they have reasonable expectations that something is going to be an enhancement to their business,” he continued.

Measuring Difficulties

When asked whether their organizations could measure the return on investment of their security solutions, 54 percent of respondents weren’t confident at all they could do that, according to the survey of 350 IT pros.

“Security can be difficult to understand. It’s not as easily measurable as other parts of their business,” Danahy said.

“In security, you’re trying to stop something, as opposed to doing something. That makes it hard to quantify the return that you’re getting for the investments that you’re making,” he noted.

“The difficulty of creating a linear equation between the amount that I’m investing and the protection that I can prove that I’m getting makes it hard for people to be comfortable about whether they’re budgeting either enough or too much for security,” Danahy added.

Hype Cycle

Confidence in security solutions may be affected by the gap between what the solutions promise and what they deliver.

“The problem is you’ve got a bunch of venture capitalists backing a bunch of technologies with a lot of money that the companies are spending on marketing rather than product development,” maintained John Prisco, CEO ofTriumfant.

In the endpoint security space alone, there are more than 50 companies competing for business. “Many of them use some form of list or signature to protect endpoints, so a lot of those programs don’t work when it comes down to a sophisticated adversary,” he told TechNewsWorld.

“The type of products that do work have artificial intelligence engines built into them, but the ones that are the most popular use lists and have the money to spend on ads on drive-time radio,” Prisco said.

“A lot of money is being spent, and there’s a lot of hype from vendors around their products helping with security problems,” noted Eddie Schwartz, international vice president forISACA.

“Yet breaches continue to occur, and they’re very public and they’re very damaging,” he told TechNewsWorld.

“So if you’re in the C-suite and someone comes asking for more money for security,” Schwartz added, “you’re going to ask if any of this stuff really works, and why should we continue to invest in this?”

More Automation Needed

Confidence in security solutions also is being eroded by IT pros feeling overwhelmed by security issues, maintained Ben Desjardins, director of security solutions forRadware.

“The lack of confidence IT pros express about their security solutions is often a reflection of their growing sense that, as practitioners, they are falling behind the pace of change in the threat landscape,” he told TechNewsWorld.

In response to those changes, security pros pile more point products into their stack to address the latest trendy threat, adding complexity to security infrastructure management, and introducing more and more manual efforts to maintain protection from a threat landscape that is increasingly automated, Desjardins said.

He called on cyberwarriors to put more trust in automated security solutions.

“Introducing technologies that can automate protection from not just today’s attacks, but previously unseen attacks, can not only increase the confidence level of IT pros, but also address three of the four concerns related to security’s impact on productivity,” Desjardins said.

Breach Diary

  • May 2. Krebs Security reports a database of 866 million compromised credentials maintained by Pwnedlist.com is at risk after being exposed through a system vulnerability.
  • May 3. Krebs on Security reports that tax and salary information of employees at more than a dozen companies doing business with ADP has been stolen through the use of compromised credentials at a self-service portal.
  • May 4. Charles Schwab alerts an unspecified number of customers of unusual login activity at their accounts that may be the result of someone obtaining the credentials from a non-Schwab source.
  • May 4. The Colorado Department of Transportation alerts firms in its Disadvantaged Business Enterprise and Enterprise Small Business programs that their tax information was used improperly by a former a CDOT employee. The Colorado Bureau of Investigation is looking into the incident.
  • May 4. New York Attorney General Eric T. Schneiderman announces his office has received an increase of more than 40 percent of data breach notifications (459) involving New Yorkers through May 2 compared with the same period for 2015 (327).
  • May 5. Kroger sends a letter to all current and some former employees alerting them that their tax and salary information is at risk because of a data breach by attackers using compromised credentials.
  • May 6. The Bay Area Children’s Association warns its patients and guarantors that their personal information is at risk because of a data breach at the association’s electronic medical records provider.
  • May 6. Motherboard reports a hacker called “Peace” is offering information on 40 million accounts, including tens of millions from Fling.com, for sale on the dark Web for US$400.
  • May 6. Ars Technica reports a data breach of 272 million email account credentials widely reported during the week were almost all bogus.

Upcoming Security Events

  • May 17. Securing ICS/SCADA Networks. 5 a.m. ET. Webinar by Fortinet. Free.
  • May 17. Hackers are Coming After Your Healthcare Data. 2 p.m. ET. Webinar by ID Experts. Free.
  • May 18-19. DCOI|INSS USA-Israel Cyber Security Summit. The Marvin Center, 800 21st St. NW, Washington, D.C. Hosted by George Washington University. Free.
  • May 19. Locked Out: the Rise of Ransomware. 11 a.m. ET. Webinar by FireEye. Free.
  • May 19. Cyber Security for the Power Grid: Securing DNP3 Communications. 2 p.m. ET. Webinar by Belden. Free.
  • May 20-21. B-Sides Boston. Microsoft NERD, 1 Memorial Drive, Cambridge, Massachusetts. Tickets: $20.
  • May 21. B-Sides Cincinnati. University of Cincinnati, Tangeman University Center, Cincinnati. Tickets: $10.
  • May 21. B-Sides San Antonio. St. Mary’s University, One Camino Santa Maria, San Antonio. Tickets: $10.
  • May 24. PCI DSS: Preventing Costly Cases of Non Compliance. 1 p.m. ET. Webinar by VigiTrust, HPE Data Security, Aberdeen Group and Coalfire. Free with registration.
  • June 1-2. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), Atlanta. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 6-9. Cloud Identity Summit. New Orleans Marriott, 555 Canal St., New Orleans. Registration: $1,695.
  • June 8. B-Sides London. ILEC Conference Center, 47 Lillie Rd., London SW6 1UD, UK. Free.
  • June 9. SecureWorld Portland. Oregon Convention Center. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 10. B-Sides Pittsburgh. Spirit Pittsburgh, 242 51st St., Pittsburgh. Free.
  • June 11-12. B-Sides Latin America. PUC-SP (Consolao), So Paulo. Free.
  • June 15. Federal Trade Commission’s Start With Security — Chicago. Northwestern Pritzker School of Law, 375 E. Chicago Ave. (corner of Lake Shore Drive), Chicago. Free.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 20. Center for New American Security Annual Conference. 9:30 a.m.-5:30 p.m. J.W. Marriott, 1331 Pennsylvania Ave., Washington, D.C. Free with registration.
  • June 22. Combatting Targeted Attacks to Protect Payment Data and Identify Threats. 1 p.m. ET. Webinar by TBC. Free.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.
  • June 30. DC/Metro Cyber Security Summit. The Ritz-Carlton Tysons Corner, 1700 Tysons Blvd., McLean, Virginia. Registration: $250.
  • August 25. Chicago Cyber Security Summit. Hyatt Regency Chicago, 151 E. Wacker Drive, Chicago. Registration: $250.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels