No matter how valiant the efforts of chief security officers, or how much businesses say they focus on securing their systems, or the amount of money spent on IT defenses — many of the same IT security challenges persist.
Enterprises lag in their ability to swiftly detect breaches — an important measure of security maturity. According to the 2013 Verizon Data Breach Investigations Report, 62 percent of organizations didn't detect breaches for months, or longer — and partners and customers, or others identified about 70 percent of those breaches.
There's clearly much room for improvement, but as the number, duration, and costs of attacks reveal, as well as our interviews in recent weeks, there certainly won't any quick fixes. However, according to the experts we've spoke there are a handful of areas that, if dramatically improved, would significantly shorten today's chasm between defender and attacker.
1. Close the skills gap
One of the challenges cited repeatedly during our interviews is the difficulty organizations have finding the security talent they need. Earlier this year the International Information Systems Security Certification Consortium conducted a study that found more than half — 56 percent — of organizations believe their security departments are understaffed.
The challenge here is that technology and attack methods are moving swiftly, and so are adversaries, but formal education and corporate training isn't keeping pace producing security skills needed with constant changes in mobility, cloud architectures, virtualization, and others.
"We are always seeing conversations about staffing concerns," says Daniel Kennedy, research director for information security and networking at 451 Research. "And it's not just small and mid-sized companies that are having trouble finding and retaining talent, it's a problem even at the top," he says.
2. Shifting away from a regulatory compliance mindset
One of the most necessary shifts is that from a focus on regulatory audits and compliance to security risk management. Many enterprises have spent years — justifiably — with a focus on regulatory compliance. However, many say, the focus remained too intently on compliance and not enough on the essential security of their data, applications, and infrastructure.
And despite this focus on regulatory compliance, there's little in way of improved outcomes to show for the effort. Our eleventh annual Global Information Security Survey, conducted by PricewaterhouseCoopers CSO, and CIO magazine, found that the loss or damage of internal records more than doubled in one year.
"This focus on regulatory compliance, rather than security, has been underway for many years," says Candy Alexander, former CISO at Long Term Care Partners, LLC, and currently a member of the board of directors at the Information Systems Security Association.
Sign up for CIO Asia eNewsletters.