Security

CompTIA report: Almost half of companies believe their security is 'good enough'

A recent security report from CompTIA found that while threats are growing stronger, many enterprises still aren't ready to face them.

Image: iStockphoto/opera3d

With reports of massive data breaches becoming almost a regular occurrence in the enterprise, it stands to reason that most companies wouldn't dare rest on their existing security practices. Well, to a recent CompTIA report, that's not the case at all.

According to Practices of Security Professionals, released Tuesday, almost half of IT security professionals in the enterprise believe their company's current security practices are "good enough." While it's not necessarily bad to be proud of the work being done in an organization, this could signal a dangerous level of complacency in regards to security.

SEE: Information security policy template (Tech Pro Research)

Interestingly enough, though, this doesn't seem to reflect the growing priority of security in enterprise IT. As noted by CompTIA in the report, research firm Gartner predicts that the enterprise security market will be worth $100.3 billion globally by 2019.

So, if that many security professionals think their work is "good enough," then they have to be doing something right, don't they? Well, let's take a look at how CompTIA breaks down the modern approach to security.

First off, most modern security strategies are made up of three distinct movements:

  1. Shifting away from the secure perimeter
  2. Balancing prevention and detection
  3. Increasing focus on proactive security activities

There are a host of new technologies that are playing into these movements. The proliferations of cloud, mobile, and big data each come with their own security challenges, and each of these trends affects the potential way that businesses approach security. Increased use of big data and cloud services mean that companies must better protect their most valuable assets and make sure their are implementing the proper compliance standards and authorization protocols.

This expansion of security's core challenges is also being met with workforce issues. In the executive suite, roles like Chief Information Security Officer (CISO) or Chief Security Officer (CSO) are proliferating, but security itself is becoming more horizontal—touching every aspect of digital business.

At the same time, the total number of job postings relative to careers in security are booming as well. According to Bureau of Labor Statistics (BLS) data cited in CompTIA's report, the number of postings rose 175% from 2012-2015. In 2012, there were 39,920 security job posting compared to the 109,819 in 2015, which had grown from 58,456 in 2014. Despite this massive growth in listings, more than half of all businesses surveyed said that they believed there were no skills gaps.

SEE: Cybersecurity in 2020: The future looks bleak (TechRepublic)

So, if security is a growing issue then why aren't enterprise professionals taking it more seriously? According to the CompTIA research, a high priority regarding security won't always translate into improved security practices.

"Companies may not fully understand the nature of modern threats, the need to support technology with process and education, or the necessity of proactively monitoring events along with building strong defenses," the report said.

In addition to this belief that security is already good enough, issues such as the prioritization of other technology over security (43%) and lack of security metrics (39%) are also hampering security improvements.

In terms of what would actually help change an organization's approach to security, respondents ranked the following drivers as the most important:

  • Change in IT operations - 51%
  • Reports of security breaches - 46%
  • Internal security breach or incident - 40%
  • Knowledge gained from training - 39%
  • Change in management - 38%
  • Focus on a new industry vertical - 37%
  • Change in operations or client base - 37%
  • Vulnerability discovered by audit - 34%

Looking at the disconnect between new security threats and enterprise needs regarding security, IT professionals need to examine their own organizations to determine how they can shrink the gap between the reality of the security landscape and how their own employees view it.

The 3 big takeaways for TechRepublic readers

  1. Despite growing security threats, almost half of security experts believe their organizations security approach to be sufficient, which could point to complacency in some businesses.
  2. The skills gap in information security continues to grow, with job postings increasing 175% from 2012-2015. This could be a good opportunity for new grads and professionals looking for a career change to take advantage of.
  3. The top three drivers for actually changing security approaches were change in IT operations, reports of security breaches, and internal security breach or incident. These could help spur change in your organization.

Also see

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox