An annual study from enterprise software company Micro Focus has shown progress in the security maturity of organizations, but much more work remains. According to the fifth annual State of Security Operations Report 2018, there has been a 10 percent improvement in organization’s ability to meet security-related business goals. According to the study, about 25 percent of organizations assessed meet those goals.
Over the past few years, considerable attention has been given to the cybersecurity skills gap. In the post Enterprises Continue to Grapple with a Huge Cyber Security Skills Shortage we covered how the global cyber security workforce shortage is on pace to hit 1.8 million by 2022, a 20 percent increase since 2015, according to the Global Information Security Workforce Study. That study found 68 percent of workers in North America think the workforce gap is due to a lack of qualified personnel.
Organizations already facing a tough time finding cybersecurity talent may find additional cybersecurity headwinds this year as the vast majority (84 percent) of cybersecurity workers say they are on the lookout for new job opportunities.
Ever since the first data breach notification law went into effect July 1, 2003 in California (SB 1386), there has been controversy surrounding what types of data being exposed should trigger data breach notifications, who should be notified, and how quickly they should be notified. In fact, it’s become somewhat of a mess.
It’s hard to believe but the conversation around how security fits in DevOps has been going on for years. It was in 2012 when Gartner analyst Neil MacDonald wrote his blog DevOps Needs to Become DevOpsSec. In this blog MacDonald wrote “DevOps seeks to bridge the development and operations divide through the establishment of a culture of trust and shared interest among individuals in these previously siloed organizations. However, this vision is incomplete without the incorporation of information security, which represents yet another silo in IT.”
The more things change, the more they stay the same. While the nature of the technology employees use has dramatically changed over recent decades – from immovable desktops connecting to internal networks to iPads and netbooks with the ability to work anywhere — insiders and employees have remained among the greatest risks. According to the 2018 Netwrix Cloud Security Report, which consists of a survey of 853 various-sized organizations, industries and geographical locations. All organizations are public or hybrid cloud users.
To anyone who has been paying attention, this isn’t as much of a surprise, as it is a confirmation of the ongoing tenuous condition of enterprise cybersecurity but a just-released survey from specialty insurer Hiscox shows that roughly three-quarters of the 4,100 organizations surveyed face significant shortcomings when it comes to cybersecurity.
Is this cloud security Nirvana?
While many organizations moved to the cloud to try to simplify their IT management, including improve security, they’re learning that it’s not as simple as “shift applications to the cloud and watch the magic happen.”
In a report published by the U.S. Departments of Commerce and Homeland Security concluded what most security professionals have known for years: that botnets are a global threat, that technologies exist to mitigate the threats but aren’t widely used for multiple reasons, poor product security design and development, counter-productive market incentives, and low education and awareness across all market participants.
With another year of too many high profile, and quite frankly avoidable, data breaches under our belts, it’s time to take a look forward and identify areas where you may be able to improve your security program and hopefully become more efficient and reduce risk more effectively.
It’s not always the bad guys that sabotage enterprise security efforts, sometimes organizations do that all on their own.
