Call it the security conundrum.
Business leaders are racing to adopt new IT systems like cloud computing, big data and Internet of things (IoT), and yet at the same time express mounting concerns about the security of sensitive information in those environments.
A new survey of more than 1,000 enterprise leaders conducted by 451 Research on behalf of the security vendor Vormetric helps quantify the situation.
[ Related: Cybersecurity much more than a compliance exercise ]
Eighty-five percent of respondents say that they have placed sensitive information in some type of cloud environment or intend to do so, up from 54 percent from last year’s survey. Of those, 70 percent say that they are “very” or “extremely” concerned about a security breach at their cloud provider.
There is a similar disconnect with big data and IoT deployments.
An even half of respondents say that they have plans to put sensitive information in a big data environment, up from 31 percent last year, and a third say they are doing the same with an IoT system.
And yet concerns about data security, privacy and information moving around within a big-data or IoT deployment persist.
Security as an afterthought leaves businesses scrambling
The report suggests that the security concerns are the result of a land-rush mentality that has seen firms scrambling to set up new types of IT architectures without thinking through how their sensitive data will be protected in the cloud or a big data or IoT setting.
So security too often comes as an afterthought, says Vormetric CSO Sol Cates.
[ Related: Security priorities shifting to preventing breaches, improving internal controls ]
“There’s a lot of catching up they’re doing right now,” Cates says. “The business is forcing them to get there quicker, and they’re really trying to understand, how do I reduce these risks.”
The three areas that the study evaluated might be the hot new topics in the tech sector, but the security concerns that they raise fit into reliable “historical patterns of IT evolution,” according to Garrett Bekker, the author of the report and a senior analyst with 451 Research.
“Unfortunately,” Bekker writes, “security considerations typically take a back seat to establishing a market presence, and only get their due either as a way to remove barriers to adoption or plug holes after the damage is done. Not surprisingly, then, we have observed a fairly strong positive correlation over time between the maturity of a specific computing model or resource, and the ability to secure that resource — and cloud, big-data and IoT have followed a similar pattern.”
So cloud service providers, as a class, might be further along in their security posture than firms specializing in big data or IoT services. However, Cates notes that it is difficult to disentangle the three, given that IoT systems are geared to produce large volumes of data, which in turn commonly reside on a cloud-based architecture.
[ Related: Study: Compliance biggest cloud security challenge ]
The report suggests that enterprises are clinging to outdated security approaches focusing on endpoints and the network perimeter, when they would be better served by a data-driven strategy that would concentrate on securing the information itself through encryption and other tactics.
“To a large extent,” Bekker writes, “both security vendors and enterprises are like generals fighting the last war.”
Cates says that some of the challenge is organizational. Too often, he says, CIOs and CISOs work at cross purposes, with the former rushing to push out new technologies to support the business side of the enterprise, while the marginalized security unit operates in a vacuum.
“I think, in general, security teams in large organizations are misaligned with the business,” Cates says. “There needs to be an alignment there.”