IT Innovation Challenging Security Pros' Knowledge, Resources
Pressure from upper management and boards is pushing security pros beyond their knowledge and resources, forcing them to roll out technology that is not properly secured, experts say.
Tue, February 11, 2014
CSO — Pressure from upper management and boards is pushing security pros beyond their knowledge and resources, forcing them to roll out technology that is not properly secured, experts say.
Nearly four in five IT pros were pressured last year into deploying inadequately secured software, according to a report from Trustwave set for release next week. The report, provided exclusively to CSO Online prior to release, shows that more than 60 percent of the respondents said that such rollouts occurred once or twice a year, while 16 percent said they happened frequently.
Half of the more than 830 CIOs, CISOs and IT security directors and managers surveyed between mid-December 2013 and mid-January said the most pressure came from company owners, boards, and C-level executives. Almost a third of the respondents, who worked for companies with 250 to 5,000 employees in the U.S., U.K., Canada and Germany, said the most pressure came from direct managers.
The findings were not a surprise to Drew Porter, senior security analyst for consulting firm Bishop Fox. Porter often works with companies to plug vulnerabilities in IT that was deployed too fast in order to get competitive features to customers and partners.
"They want to have these features and they want it right now," Porter said. "They worry about the security afterward."
An example Porter runs into often is a wireless connection to a corporate portal made available to people and employees visiting a company's campus. HTTPS is often not properly used for secure communications and it is not unusual for companies to skip the requirement of a username and password.
Such poor protection does not sit well with security executives and managers who will sometimes call in consultants to do a security review, so vulnerabilities can be documented and brought to the attention of C-level execs and boards.
"The consultant writes the report, giving the security team ammo to take to upper-management and say, 'These are problems that we have to fix; these are high-critical items.'" Porter said.
The emerging technologies that carried the greatest security risks were cloud services, mobile applications and technology to accommodate employees' desire to use their own mobile devices for work, a trend often referred to as "bring your own device (BYOD)," the study found. Deploying social media was also considered a top risk.
The market pressure to use new technologies is causing security execs to go beyond their level of expertise, Renee Murphy, analyst for Forrester Research, said.