Adding to that, Pogue remarked, "Security still too often plays second fiddle to meeting a deadline. We used to have a saying in the Army: 'you can have it fast, or you can have it right...you can't have both.' Fast seems to be the soup-de-jour."
When asked for an opinion on the project rollout stat, Kim Jones, the CSO for Vantiv, a payment processing firm in Arizona, said that security risk should not stop or slow projects all the time, and in fact there are times when the risk calculus (risk vs. return) shows that the benefits outweigh the risk. However, he also suspects that security would win those battles more than 21 percent of the time.
"My input to a project is one of many drivers for a project's success or failure. It is my responsibility to ensure that I (a) am properly injected into the project process at proper points in the process; (b) properly identify and where possible quantify the risks; (c) raise the risks to the appropriate levels within the organization; and (d) where risk isn't mitigated, ensure that the risks are properly and formally accepted at the appropriate levels within the organization," Jones said in an email to CSO Online.
In addition, Jones said it's likely that many security organizations are not looped into the IT project cycle at appropriate points, or do not have the type of risk identification and acceptance process that he describes.
In those organizations, the security tends to be in a catch-up mode. Often they're brought in at the eleventh hour to rubber stamp the project, and if they find something wrong the remediation timeframe would forcing the project to blow its deadline. Or worse, Jones added, without the risk acceptance process, the organization is hard pressed to find someone willing to sign off on accepting the risk.
"The pressure becomes that of delivering the project rapidly, on time, and not slowing down the effort to inject the security afterthought. Combine that with an inadequate risk acceptance process and you begin to see why many of my brethren either change jobs rapidly or choose to leave the profession."
So what can be done to help? What would lower the perceived pressures, and ease the stress for those who took part in Trustwave's study?
Asked to provide a wish list for 2014, the respondents said that bigger budgets, followed by more IT security skills and more time to focus on security, would be their top three requests. After that, they listed less complexity in technology, fewer requests from business line managers, and additional staffing.
Sign up for CIO Asia eNewsletters.