Edward Snowden brought insider threats into the mainstream media. The Target and Home Depot hacks raised awareness of data breaches among the general public. Now, more and more organizations are seeking new types of cyber security solutions in an effort to avoid being the next data breach headline.
But are these security solutions actually delivering what was promised? And are IT shops getting the most out of them?
To find out, we anonymously polled IT security professionals at RSA Conference 2015. The responses were bleaker than we anticipated.
69 percent of respondents said they’re not using their IT security products to their full potential. Among this group, 71 percent believe this is putting their company, and possibly customers and partners, at risk.
We drilled down a bit and asked the respondents why they think they’re not getting the most out of their security solutions. We learned that 62 percent either found the products too complicated to deploy, too time consuming to deploy, or didn’t think they had the expertise on staff to properly deploy them.
IT Security Products as Cyber Warfare Defense
The situation seems to be one in which organizations are searching for new IT security solutions that can defend against the latest evolutions in zero-day attacks and other advanced cyber threats. However, security staff at many of these organizations often discover too late that the products they purchase cannot scale to large enterprise environments, or deploy quickly enough to provide active defense. This leaves affected organizations just as at risk as they were before purchasing their new products.
The current state of IT security is a cyber warfare scenario where organizations are under continuous cyber attacks. To be effective in this cyber warfare environment, a security solution must have enterprise scalability, be rapidly deployed without requiring expensive or time-consuming professional services, and operate automatically and continuously – without requiring direct human interaction.
Compliance Does Not Equal Security
From another line of questioning in the survey we discovered that 61 percent of respondents work for an employer that at some point deployed a security product purely to achieve regulatory compliance regulations – not to increase security.
This is no surprise. Regulatory compliance requirements drive many security product implementations. But quite a few organizations seem to fall into the “compliance equals security” trap. Deploying a product merely to satisfy an auditor may help with regulatory compliance. But it does nothing to reduce real security threats. Despite the regulatory mandates that so many corporations and government agencies are subject to, data breaches actually appear to be increasing.
Perhaps a correlation can be drawn between organizations that don’t think they’re getting the most out of their IT security solutions, and organizations that deploy security products merely to satisfy auditors. Just like products that cannot easily and quickly deploy to the enterprise offer no security benefits, there’s more to achieving real IT security than completing an auditor survey and ticking a few check boxes.
True cyber security requires continuous measurement and correction in the face of the unrelenting cyber threats that regulatory compliance mandates simply fail to anticipate.