The results of a recent CXO study that were released by (ISC)2 have painted a picture of just how paradoxical cybersecurity can be from the point of view of CSOs, aptly outlining the challenges that these industry leaders face.
The report broke down these challenges into five primary points, the paradoxical nature of which was often supported by additional statistics. For one, though the amount of data that needs to be protected is ever increasing, security professionals have the obligation to remain flexible; allowing data to be fluid — and subsequently allowing the security perimeter to be fluid — is a typical expectation for most organizations.
Similarly, organizations are constantly trying upgrade and improve the features and functionalities of their electronic operations. This not only raises the risk of disruption, but also leads to an approach in which security is often an afterthought of application development. While the obvious solution here would be to put security at the forefront of application development, the heavy amount of resources necessary to do so makes it an often implausible approach.
In fact, the study results indicated that of the 12,396 information security professionals, 72 percent said that application vulnerabilities were their highest concern. However, only 7 percent said that significant time was spent on software development, demonstrating that the squeaky wheel doesn't always get the grease.
Mike Suby, vice president of research at Frost and Sullivan and the author of the report, said that examples of innovation trumping security include a lack of secure code assessment. Most companies simply don't do it.
"It may be too difficult or too time consuming. Companies need to run through it with security personnel and say, 'This is the objective, these are the data sets we're going to access.'"
Without that discussion, exposures could inadvertently be created. I'm punching a hole into a data set that shouldn't be there, he said.
Suby also pointed out that security patchwork is built over time. Creating a non-vulnerable system is both cumbersome and difficult, while also impeding progress towards other goals. Instead, many companies opt to pursue other business objectives. Getting to those business objectives, he said, slows down app and software development.
"The idea is usually, 'I want to do more, I can do more, but in the meantime let me build up fences," said Suby.
Equally unhelpful is the fact that a very small percentage of InfoSec professionals even have the certification for secure software development. The scarcity of people with the skill set for app security "is also a problem," explained Julie Peeler, foundation director of (ISC)2.
In fact, that particular skill set often isn't the primary focus when searching for InfoSec professionals to hire. The study's results showed that security executives that were responsible for hiring prioritized a potential new-hire's communication skills over his or her understanding of the security field. This is because security isn't just the responsibility of the security organization, said Suby.
Sign up for CIO Asia eNewsletters.