The 2015 Black Hat Attendee Survey offers several takeaways that indicate a need to rethink the current enterprise IT security model. Perhaps the most important is that security pros are not spending their time and budget in a manner that is commensurate with their concerns about current threats.
Gartner data indicate that in 2015, enterprises will spend a new high of over $71.1 billion on information security. Yet, major data breaches, online attacks and data leaks seem more problematic than ever. The 2015 Black Hat Attendee Survey asked the 460 top-level security experts who will be at the conference in August what the industry is doing wrong. The answer, in a nutshell, is that most enterprises are not spending their time, budget, or staffing resources on the problems most security professionals consider to be the greatest threats.
Of the fifteen threats and challenges addressed in the survey, two stood head and shoulders above the others as their greatest concern. 57 per cent identified sophisticated targeted attacks as their top worry, while 46 per cent said it was phishing, social network exploits or other forms of social engineering. No other concern scored over 21 per cent (multiple responses were allowed).
The responses however, indicated that neither of these top threats were considered a major priority by their organization. Only 26 per cent indicated that mitigating sophisticated targeted attacks were among the top three security spending priorities in their organization, while only 20 per cent said targeted attacks were among the top three tasks they spend the most time on day-to-day.
The data on social engineering threats was similar. Only 22 per cent indicated their organization spends a large portion of their security budget on them, while only 31 per cent said it was among their top three tasks daily.
“Perhaps the most significant result from the 2015 Black Hat Attendee survey is this disparity between the threats that keep security professionals awake at night and the tasks that keep them occupied during the day,” the report stated.
Other significant threats noted were: Accidental data leaks by end users who fail to follow security policy (21%); Polymorphic malware that evades signature-based defenses (20%); espionage or surveillance by foreign governments or competitors (20%); and security vulnerabilities introduced by my own application development team (20%)
So what are the security experts spending their time on, if it isn’t on their top concerns?
Thirty-five per cent of Black Hat attendees said that their most time-consuming tasks was addressing those security vulnerabilities introduced by their own application development team, which 20 per cent had said was a top concern. Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems came in second, at 33 per cent. It had been ranked tenth on the list of concerns, at 13 per cent. The report stated that the data suggest that application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.
“Potential threats posed by the Internet of Things, which ranked as the greatest concern two years from now, are barely being addressed in current time or budget expenditures,” the report also noted.
More cheery news for the industry comes in the form of a clear message from the respondents that while they believe that their organizations will have to deal with a major data breach, most think they don’t have the staff or budget to handle such an event.
Nearly three quarters (73%) said they believe their organizations will likely have to deal with a major data breach in the year ahead. However, only 27 per cent said they feel their organization has enough staff to defend itself against current threats. Only 34 per cent said their organization has enough budget to defend itself against current threats. In addition, while 36 per cent of respondents said they have the skills they need to do their jobs, 55 per cent admitted they could use some more training.
So is there any good news in the report? Yes, but it’s for the security specialists themselves. Because of the lack of resources, and likelihood that the misdirection of those that are there will cause problems, most security pros – 94 per cent – believe they would have little trouble finding another job!
Black Hat USA 2015, a UBM event, is scheduled for August 1-6 in Las Vegas.