Slim pickings in the labor pool is another management concern: There simply aren't enough security professionals to go around, and those who are in the job market can command sky-high compensation packages that are out of reach for many companies.
Those are just a few of the security-related issues that IT leaders lose sleep over. But most of them say they're not staying up late worrying; they're up making plans to take action. They're preparing to fine-tune anti-intrusion strategies, train -- and retrain -- employees, and create disaster plans for the breaches and attacks they say they know lie ahead.
Bigger budgets, better-trained users
Security execs may be getting called to board meetings more frequently for explanations, but they're often leaving those meetings with more resources to spend on protecting enterprise systems and data. The high-profile breaches have helped raise awareness among even the least technical board members about the critical importance of security.
"Instead of going to the board or CIO and struggling with justifying every security expense, I have the board and CIO coming to me," says a CISO from a midsize manufacturing company who declined to be further identified.
"In some ways, the high-profile breaches have done the selling for me. It's almost an open checkbook," he says. But make no mistake, he adds: "The threats are still there and they are certainly scary."
Across the board, security managers say they'll spend at least some of the money being added to their security budgets on further investments in awareness and training programs. "One of the biggest challenges is with employees. Most of the problems we've had come from emails they've opened that could have Trojans or malware," says Redden.
"It all goes back to user training," he adds. At Brazos Higher Education Service, he says, "we've pulled most remote users back in for additional training. We talk about not letting anyone access their laptop. It's not a personal device. We stress that very highly. Endpoint protection is the No. 1 issue."
Training is also on the docket at Loyola University Maryland in Baltimore. "Our largest challenge is our end users, so we're really ramping up our cyber awareness training," says Louise Finn, CIO and associate vice president of technology services.
In 2016, the university's recently hired security operations director, Patricia Malek, will be conducting face-to-face scenario-based training with employees in all business units. "And we're not just training on the university's policy, but providing training on the personal side, emphasizing personal control over and protection of data," Finn says.
The Bank of Labor in Kansas City requires employees to take part in a security awareness training program annually. But Shaun Miller, the bank's information security officer, says that schedule renders the program "worthless" because threats change so quickly.
Sign up for CIO Asia eNewsletters.