Dark Reading and Black Hat conducted a survey of Black Hat 2015 attendees in June 2015. Their executive summary has some interesting findings. They report that there are significant discrepancies between the priorities of security professionals and the resource allocations. They also report that "Many security professionals feel that the perception of current threats - both in the media and among their managers and supervisors - is different from their own" (p. 5). While you should take a look at the full report, here are the top 5 responses for the security pros' greatest concerns, time consuming incidents, and budget consuming incidents.
Greatest concerns:
- sophisticated, targeted attacks
- phishing, social network exploits, other social engineering
- accidental data leaks by end users not following policy
- polymorphic malware that evades signature-based defenses
- espionage/surveillance by foreign governments or competitors
Consumes time:
- vulnerabilities introduced by own app dev team
- vulnerabilities introduced though purchased apps/systems
- phishing, social network exploits, other social engineering
- internal mistakes or external attacks affecting industry or regulatory compliance
- accidental data leaks by end users not following policy
Consumes budget:
- accidental data leaks by end users not following policy
- sophisticated, targeted attacks
- internal mistakes or external attacks affecting industry or regulatory compliance
- vulnerabilities introduced though purchased apps/systems
- phishing, social network exploits, other social engineering
Let's talk about one problem with this survey - the respondents are all 'security professionals' and they're all Black Hat attendees. This would suggest that they are, for the most part, more technical people. These are the people doing the job of computer security within organizations. That's great. They are needed. I used to be one of them. But they have a completely different view of the problem than a business manager would. So, I'm not surprised that they feel that management doesn't 'get it' - that their perceptions of the problem are wrong. However, these security pros' perceptions of the problem are also wrong.
Wait, no, that's not it. The professional in charge of maintaining secure and functioning information systems has a different problem to solve than the professional in charge of managing a company/business. So, since they have different problems to solve, their perceptions of how to solve them are going to be different. Management thinks in terms of risk management - what are the risks to the organization and what do we have to do to get those risks within acceptable parameters. Security folks think in terms of risk to their specific piece of the business and are trying to minimize it - no data lost, no hackers in our network, no (little) down-time, etc. They definitely understand the problem (threat to the systems) better at a technical level than anyone who gets their information from the popular media. But they don't necessarily understand the bigger bundle of concerns that management is dealing with.
So, what are Management's greatest concerns? This survey hasn't captured that. There are some built-in assumption. If a concern is 'sophisticated, targeted attacks' I ask you why? What is it about that threat that makes it a big business concern? When you, as this security professional, can explain to the manager why she should care about this thing and what you can do about it, then you may get the resources you need to counter it. If you're spending all your time dealing with vulnerabilities introduced by your own app development, then quantify that so you can explain how much this particular problem costs the business. And, align your concerns with the business concerns. In short, learn to speak in business language, become part of the risk management team and process. And use that to get better alignment of priorities and resources.
Thoughts?
No comments:
Post a Comment