Part of the problem is that the attack surface is growing. Public cloud services, big-data applications and the emerging ‘Internet of Things’ (IoT) have each added considerably to the resources to which data is distrusted and need to be protected. They have also collectively expanded the ‘data supply chain’ and contributed to an exponential increase in the number of external parties with some level of access to our networks and sensitive data, which in the case of large global firms can easily number in the tens of thousands.
A related problem is the ‘bad guys’ are increasing in number, too. It’s no longer enough to just worry about ‘script kiddies’, but we now have to be content with malicious insiders and an assortment of external actors – cybercriminals, nation-states, ‘hacktivists’ and ‘cyber-terrorists’.
To shed some light on the current state of data security, 451 Research recently produced a comprehensive report in conjunction with leading data security vendor Vormetric, based on an in-depth survey of 1100 + senior security executives from across the globe, in key segments such as Federal government, retail, finance and healthcare. You can download the report here.
At a high level, the survey results contained a mix of encouraging and not-so-encouraging results. On the positive side, the number of respondents (39%) who indicated that their organization has either experienced a data breach or failed a compliance audit due to data security issues in the past year has held steady from prior surveys, despite the overall rise in breaches. We’re also seeing encouraging signs that data security is moving beyond serving as merely a compliance ‘check-box’ and more towards following best practices.
But while the results don’t necessarily indicate things have gotten markedly worse, they certainly haven’t gotten better. Overall, the survey suggests that many companies remain in denial about the threats posed to their data by both insiders and outsiders, as well as the most effective ways to combat them. For example, nearly two-thirds (64%) of respondents viewed compliance requirements as either ‘very effective’ or ‘extremely effective’ in preventing data breaches - up from 59% last year – even while allegedly compliant companies have suffered damaging security incidents. Further, though most respondents plan to increase spending to protect their sensitive data, the top spending categories were network security, analytics/SIEM and endpoint security. Approaches that have proven to be effective at protecting the data such as encryption and access controls, on the other hand, are not seeing the same acceleration in spending intentions.
Overall, the survey underscores what should be coming increasingly obvious – as an industry, there’s still a big disconnect between what we’re spending the most of our security budget on and what’s actually needed to ensure that our sensitive data remains secure. However, there is also work to be done by the data security industry as a whole. The number one adoption barrier for data security was complexity, with lack of staff to manage a distant second. If data security hopes to emerge from the shadow of its network and endpoint security peers, the implicit message for data security vendors is to make products that are simpler to use and require less manpower to implement and maintain.