Only 27% of Security Workforce Feel Their Organization is Equipped to Defend Against Current Threats
Today, Black Hat, the world's leading family of information security events releases its first-ever research report ahead of the annual conference this August. Based on a survey of nearly 500 top-level security experts who have attended the annual Black Hat USA conference, this research highlights the trends and pitfalls of the InfoSec world with responses from one of the most security-savvy audiences in the industry. The 2015 Black Hat Attendee Survey reveals a significant gap between the priorities and concerns as well as the actual expenditure of security resources in the average enterprise. For more information and to download the full report, 2015: Time to Rethink Enterprise IT Security, visit: blackhat.com/latestintel/07152015-attendee-survey.html.
In 2015, enterprises will spend more than $71.1 billion on information security – more than they have ever spent before, according to Gartner Group figures. Yet, the incidence of major data breaches shows no signs of abating. As enterprises continue to struggle with online attacks and data leaks, many are asking one common question: What are we doing wrong?
The 2015 Black Hat Attendee Survey revealed that most enterprises are not spending their time, budget, and staffing resources on the problems that most security professionals consider to be the greatest threats.
A Troubling Disparity between Priorities and Actual Resources
The survey revealed a significant gap between the top concerns that keep security professionals awake at night, compared to the tasks that keep them occupied during the day. For example:
- Sophisticated Targeted Attacks: 57% of respondents indicated attacks targeted directly at their organization as their greatest concern. However, only 26% indicated that mitigating these attacks were among the top three security spending priorities in their organization. Further, only 20% said targeted attacks were among the top three tasks they spend the most time on day-to-day.
- Social Engineering: At 46%, the second greatest concern was phishing, social network exploits or other forms of social engineering. Yet, only 22% indicated their organization spends a large portion of their security budget here. And only 31% indicated that they spend a large amount of their time on social engineering.
If not on their top concerns for the business, where are security professionals spending their time?
- More than a third of Black Hat attendees said that their most time-consuming tasks are in addressing vulnerabilities introduced by internally developed software (35%) and vulnerabilities introduced by off-the-shelf software (33%). The data suggest that application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.
Warning to the Industry: Serious Shortage of IT Security Resources and Staffing
Nearly three quarters (73%) of respondents think it is likely that their organizations will have to deal with a major data breach in the year ahead. A key reason for security professionals' concerns about future attacks is the shortage of resources that they feel in their own organizations:
- Staffing Shortage: Only 27% of respondents said they feel their organization has enough staff to defend itself against current threats.
- Measly Budgets: Only one-third (34%) said their organization has enough budget to defend itself against current threats.
- In Need of Training: While 36% said they have the skills they need to do their jobs, some 55% said they could use some training.
The combination of these responses should serve as a warning to the industry that security defense strategies and resources need serious rethinking, and that the protectors of the enterprise are not confident in their ability to keep adversaries out of systems and data.
Download the Full Research Report
The survey results indicate a pressing and immediate need to rethink the current enterprise IT security model. Top concerns are changing – and the structure of resources, staffing and budget should follow suit. For actionable insights and a glimpse into the top concerns in the years to come, download a copy of 2015: Time to Rethink Enterprise IT Security by visiting:blackhat.com/latestintel/07152015-attendee-survey.html.
Black Hat USA 2015: August 1-6 in Las Vegas
Just weeks after the survey results present these troubling industry trends, the InfoSec community will gather to discuss, collaborate and share solutions for many of these developments at the annual Black Hat USA show, returning to Las Vegas for its 18th year. The week will kick off with nearly 70 separate deeply technical Trainings, followed by more than 110 innovative research-based Briefings. Covering everything from vulnerabilities within critical infrastructure to exploits against the most popular operating systems, mobile devices and automakers, Black Hat USA 2015 will present one of the most comprehensive programs in the event's history. For more information and to save $400 on your Briefings Pass by July 24, please visit blackhat.com/us-15/.