‘Tis the season for security surveys. Two more hit the mailboxes week, both validating the dramatic impact that cloud computing and digital transformation are having on corporate security organizations and budgets.
A BMC Software Inc. survey of more than 300 chief information officers and chief information security officers finds that the digital transformation “is forcing fundamental changes to security strategies.” While malware is declining as a threat, other trends are raising new challenges, specifically public cloud, big data and mobile applications.
The cloud is creating authentication problems as organizations struggle to harmonize their employees’ use of a mix of internal and external applications. The No. 1 security challenge executives told BMC they face is “managing multiple inter-dependencies among on-premise and cloud resources,” followed closely by end-user training.
These findings are bolstered by Netskope Inc.‘s quarterly report, which was also released today. The cloud security firm’s analysis of aggregated data from its Netskope Active Platform finds that on average, half of the people who use a cloud storage service that is blessed by their companies also have a personal account on the same service. That’s both an authentication and a data management problem, since organizations need to be sure sensitive information isn’t uploaded to the wrong account.
The average number of cloud services in use per enterprise rose to 1,031 in the most recent quarter, up about 6 percent from 977 last quarter and about 60 percent from 755 in the same quarter a year ago. Because Netskope analyzes its own customers’ data, the figures shouldn’t be presumed to be representative of the Internet as a whole.
Growing awareness of vulnerabilities created by the barrage of recent breaches has enterprises funneling more dollars into security. More than 80 percent of executives in Europe and North America say their security investments will rise again this year, according to BMC.
But that hardly means security has an open checkbook. Information technology executives also told BMC that they must compete with business peers who want to invest in business innovation and IT modernization efforts, even it that means cutting corners on security.
The BMC research validates another trend that has been documented frequently within the past year: Enterprises are focusing more on identifying vulnerabilities and cleaning up after exploits, and less on the nearly impossible goal of creating an impenetrable perimeter.
Sixty percent of respondents to the BMC research say they are investing more in these areas this year, and more than two-thirds of CIOs and CISOs say their enterprises are giving rapid response higher priority than they did in the past. Nearly as many enterprises are investing more in employee security training, and upgrades to antivirus and anti-malware software are still high on the list, with 54 percent of organizations planning to boost spending in those areas.
From a technology perspective, automated patching and cloud-based security tracking and management services top the wish list in the BMC survey, which should bring a smile to the faces of the folks at Netskope, which specializes in cloud security. Its research found that the average enterprise now uses an average of four infrastructure-as-a-service platforms. Cloud storage services are the most-attacked resource by an overwhelming percentage, accounting for 82 percent of data loss prevention violations, followed by webmail at a distant second with 14.2 percent.
Netskope also reported that 43 percent of detected breaches were via back doors, indicating that unpatched software is the greatest vulnerability organizations face by a wide margin.
Technology isn’t the only area that’s attracting executive attention. The growing use of roll-your-own approaches to IT that permit users to freely mix cloud and on-premise applications has got CIOs focused on better integrating security operations. Operations teams are taking on increased responsibility for ensuring that patches are applied, while security teams are being busted out of their silos to work more closely with their peers on the business side. Nearly half of respondents say they expect to combine security and operations personnel into teams dedicated to specific mission-critical applications.
Interestingly, the BMC research documents a disconnect between security threats perceived by CIOs and CISOs. For example, one-third of CIOs see public clouds as having an extreme impact on security, while only 21 percent of CISOs share that view. CISOs are also more sanguine about the risk that mobility poses. Only about half as many see extreme risks in this area as top IT execs do.
Incidentally, with only a little over 16 months remaining until the European Union’s General Data Protection Regulation take effect, Netskope found that cloud service providers are woefully unprepared, with only about one-third having the proper security and privacy controls in place for compliance. The company also found that two-thirds of cloud services don’t specify in their terms of service that customers own their own data a requirement of the new regulations – and 42 percent don’t allow administrators to enforce password controls.