Findings show that a majority of IT and cybersecurity professionals experienced increased pressures in 2017 when compared to the previous year, driven largely by a steep rise in sophisticated malware, continued deficit of high-level security talent and budget constraints. This report marks the fifth consecutive year pressures have increased year over year. On the flip side, there were a few bright spots. For instance, pressure to rush IT projects before they are security ready is decreasing and incorporation of managed security services to fill resource and technology gaps has gained traction, signaling a concerted effort to address pressures through better practices.
Key highlights from the 2018 Security Pressures Report from Trustwave include:
· Security Pressures Remain High: Overall, 54% of respondents experienced more security pressures in 2017 when compared to 2016. U.S. respondents cite the most increased pressure at 61%, followed by Japan at 55% and Singapore at 54%. Encouraging however is that 54% of respondents on average are more confident than they were five years ago in their ability to secure their organization, while only 15% are less confident.
· Advanced Threats Tops Operation Concerns: Although slightly down from 2017, advanced security threats, such as sophisticated malware and zero-day vulnerabilities, still causes the greatest concern at the operational level overall at 26% followed by lack of budget at 17% and lack of skilled security expertise at 16%. Japan felt the most pressure from advanced threats at 38%, which correlated with findings that the country is experiencing the highest overall concern over security talent deficiencies at 27%.
· Falling for the Bait: Of the most pressure-inducing security threats and responsibilities facing respondents, phishing attacks were the decisive riser, increasing from 8% last year to 13%, as cybercriminals step up social engineering attacks. Preventing malware (including ransomware), however, remains the top stressor across all regions, accounting for 22% of respondents followed by identifying vulnerabilities at 17%. Surprisingly low on the list for a consecutive year at 11% is detecting malicious activity and compromises. While anecdotally organizations are shifting away from prevention-focused security strategies, these findings may indicate a lack of internal resources necessary to address threat detection at a level that would increase pressures.
· Direct Managers Turn Up the Heat: Overall, C-level executives, board members and business owners are exerting the most pressure on IT and security teams, accounting for 39% of total respondents, down, however, from 46% in 2017 and 69% from two years ago. Singapore leads at 58% and is a full 17 points higher than the United Kingdom, which places second. Pressure from direct managers has jumped eight points since 2016, accounting for 27% of total respondents – a positive development as those most closely connected to given security outcomes are appropriately exerting the pressure.
· Slow and Steady Wins the Security Race: The tide is turning against the practice of rushed deployment of IT projects before security due diligence is adequately applied. At 42%, down a full eight points on average across all regions, IT security professionals felt less pressure to roll out projects before security concerns were addressed. Australia, Canada and the United States experienced the largest pressure relief in this category. Canada led overall with 59% of respondents agreeing they felt no pressure to hurry along projects.
· GDPR Compliance Causing Concern: The looming prospect of heavy fines for non-compliance with the Global Data Protection Regulation (GDPR) for any organization handling personally identifiable information (PII) of European Union citizens resulted in 26% of respondents citing the new mandate as the key source of compliance pressure, just a single point behind Payment Card Industry Data Security Standard (PCI DSS). Surprisingly, nearly a quarter of total respondents are not feeling any compliance pressures, pointing toward the likelihood of increased security maturity, in which case compliance challenges are less frequent.
· Managed Security Services Gaining Traction: Among the fastest growing responses to increased security pressures is the managed security model that offers a host of technology solutions and security expertise on-demand. Thirty-three percent of overall respondents already partner with a managed security services provider (MSSP) and 45% plan to in the future, a five-point increase from 2017. Respondents top three reasons for partnering with an MSSP include: compensating for in-house skill shortages at 31%; adopting, deploying and operating hard-to-use security technologies at 30%; and assisting with security automation at 28%.
“Cybercrime will remain a remarkably lucrative business model for the foreseeable future and, like legitimate industries, will continue to evolve through efficiencies, adaptation and innovation,” said Chris Schueler, senior vice president of managed security at Trustwave. “As this year’s report depicts, it’s this continuous advancement of the threat landscape, coupled with internal resource constraints, causing sleepless nights for those charged with securing assets. But it is encouraging that findings also suggest organizations are shifting away from treating security as an afterthought to focus on practices such as secure code development, frequent security testing, and bolstering internal capabilities through managed service models to ease pressure.”