Tim Wilson's coverage of the Black Hat security survey - Poor Priorities, Lack Of Resources Put Enterprises At Risk, Security Pros Say highlighted the disconnect that exists between security professionals and the C-suite. This is in part due to the media's hype over domestic government surveillance and hacktivists and politically motivated attackers. I agree with assertion that financially motivated cybercriminals pose more of an economic threat than cause or politically motivated hackers. But the media coverage of hacktivists and politically motivated breaches leave 41 percent of survey respondents feeling the media is overplaying the issue.
The result is misplaced priorities when it comes to enterprise security. The report shows that misplaced priorities leave many security professionals frustrated with business priorities and results in the security department being shortchanged on resources. For example, budgets are often allocated to compliance needs, or sealing accidental leads, leaving IT teams short on resources to fight the threats that face the business.
The focus on compliance or sensationalized risk leaves security professionals with little in the way of resources to address the real threats that cause breaches – like vulnerabilities in the application-layer. With so few resources, companies end up spending too much time addressing vulnerabilities in internally-developed software or in off-the-shelf software. An IDG survey found that less than 1/3 of web, mobile and cloud applications are tested for security -- despite the fact that they are the number one attack vector. This leaves a significant number of applications vulnerable, all because securing all the software a modern business needs in today's digital economy can be expensive and time consuming -- especially if the enterprise is relying on on-premises tools that cannot scale with the business.
How can security and risk professionals change the conversation around security? CISOs and Security & Risk Professionals need to communicate with non-IT executives more effectively so that they can steer the conversation to be about the threats that the company is really facing, rather than the threats hyped by the media.
Bob Brennan, the CEO of Veracode, and Paul Proctor, Gartner Research Analyst, discussed how security and risk professionals can link security to corporate performance so that CISOs and other security professionals can steer their conversations toward more productive security topics.