With certain news items, you do have to consider the source. Thus, it was with just a bit of skepticism that I read the headlines on a release from Oracle describing new research commissioned by CSO Custom Solutions Group which found that, despite increased spending on security, IT professionals are likely allocating their budgets sub-optimally. Translated, that means they should be spending more on database security, i.e., in Oracle’s wheelhouse. On closer inspection, however, the report makes some very valid points.
Looking at the security spending landscape
Let’s start at the high level. The report says that found that, while most IT security resources in enterprises are currently being used to protect network assets, the majority of the 110 enterprises interviewed for the report believe a database security breach would be the greatest risk to their business.
Image via Shutterstock
The numbers are revealing. Respondents from industries including financial services, government and high tech said that more than two thirds of their IT security resources remain allocated to protecting the network layer, while less than one third of the staff and budget resources were allocated to protecting core infrastructure such as databases and applications. This would not be so bad, except for the fact that it does not correlate with the view of respondents that when comparing the potential damage caused by breaches, most IT professionals believed that a database breach would be far more severe than a network problem.
The reason is that databases contain the most vital and valuable information— intellectual property as well as sensitive customer, employee, and corporate financial data. This led to the conclusion that, “An un-balanced and fragmented approach to security has left many organizations’ applications and data vulnerable to attacks both internally and externally.” And the authors contend that this underscores, “The relevance of Oracle’s ‘security inside-out’ approach which means focusing attention on the organizations most strategic assets which include databases, applications and users.” In short, as noted, the source does need to be considered.
That said here are some numbers from the study worth contemplating:
- 66 percent of respondents said they apply a security inside out strategy;
- 35 percent base their strategy on end point protection;
- 67 percent of IT security resources – including budget and staff time – remain allocated to protecting the network layer;
- 23 percent of resources were allocated to protecting core systems like servers, applications and databases; and
- 44 percent believed that databases were safe because they were installed deep inside the perimeter.
It gets even more provocative since it highlights the mismatch between perceived risks and spending. For example, 90 percent of respondents stated spending was the same or higher than a year ago, and 59 percent plan to increase security spending this year. However, 35 percent of organizations felt that security spending was influenced by sensational informational sources rather than real organizational risks. In addition, 40 percent of respondents believed that implementing fragmented point solutions created gaps in their security and 42 percent believe that they have more difficulty preventing new attacks than in the past.
“IT Security has to focus attention on the most strategic assets. Organizations can’t continue to spend on the wrong risks and secure themselves out of business. When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access,” said Mary Ann Davidson, chief security officer at Oracle. “Organizations have to get the fundamentals right – which are database security, application security and identity management.”
"The results of the survey show that the gap between the threat of severe damage to a database attack versus the resources allocated to protecting the database layer is significant, highlighting the disconnect in how organizations are securing their IT infrastructures," said Tom Schmidt, managing editor, CSO Custom Solutions Group.
Given all of the headlines and hyperbole and hysteria surrounding the growing frequency and sophistication of cyber attacks it is not surprising that various parts of the security industry would be highlighting areas of vulnerability that speak to where they have solutions. There are a few realities that come into play here regarding:
- Security budgets are a scarce resource that need to be managed based on a number of variables including the type of business one is in, the prioritization of risks that could truly threaten the ongoing vitality of the enterprise, and yes even corporate culture.
- The number of vectors as a result of BYOD, the virtualization of work, cloud computing, and the sheer number of people, devices and processes now interacting along with various privacy, compliance and corporate governance issues has made budget balancing on security spends exponentially more complicated.
The truth is that “E”verything needs to be properly protected in the context of what is doable and affordable based on a holistic look at risk and its mitigation.
Yes, data integrity (when and where it is stored) is critical. Oracle also has it right that in a world where risks arise increasingly from bad actors spreading evil through apps and where identity/authentication is the new perimeter, that the challenges the increase in vulnerable areas represents must be adequately addressed. However, implying that spending on the network is somehow wasteful seems a bit over the top.
In answer to the question what needs to be protected the answer is “E”verything. The answer to questions about how much, in what areas and time frames is “IT depends.”
In previous articles I have opined that as a result of IT not having the tools it needs for visibility and control—of what people are doing with their devices, apps, the content they access and how they are validated to use the networks they use—coupled with the distrust users have of IT handling their personal information appropriately, we are at a tipping point in the history of the role and delivery of IT services. This tipping point has a name I periodically employ, “IT Anarchy.”
Davidson’s observations aside, the Oracle report is actually a useful exercise if for no other reason than it highlights the needs for all of the stakeholders in enterprises to have a conversation about risk management that is more expansive than those that seem to be reflected in the findings. This is not about headlines but priorities, and IT can get the tools needed to efficiently and effectively mitigate risks, including being proactive as well as reactive, but nothing should be excluded from that conversation and everyone who is a stakeholder needs to be at the table so that security resources are allocated in the context of what makes the best sense. Having a strategy for building and maintaining a trusted communications and computing environment is not just good business it has to be everybody’s business as well.
Edited by Rich Steeves