At the 2015 Black Hat conference, a survey of security professionals in attendance revealed that their three major concerns were attacks specifically targeting their organizations, phishing and social engineering schemes, and accidental leaks by end users. But that’s not reflected in how these same security pros use their time, nor in their IT budgets.

The authors of the 2015 Black Hat Attendee Survey (PDF) wrote the results indicated “that most enterprises are not spending their time, budget, and staffing resources on the problems that most security-savvy professionals consider to be the greatest threats.”

Black Hat conducted the survey at its July 2015 USA conference; UBM Tech handled the programming and analysis. Of the 460 participants, 61% have a full-time security job designation, 25% are in the lead security role at their enterprises, and 47% work in organizations with 5,000 or more employees. Note: For some answers, survey participants could choose more than one answer.

The following threats were the greatest concerns for the attendees:

  • Sophisticated attacks targeted directly at the organization (57%)
  • Phishing, social network exploits, or other forms of social engineering (46%)
  • Accidental data leaks by end users who fail to follow security policy (21%)
  • Polymorphic malware that evades signature-based defenses (20%)
  • Espionage or surveillance by foreign governments or competitors (20%)
  • Security vulnerabilities introduced by my own application development team (20%)

The disparities between security concerns and resources

Where the disparity begins to show

When Black Hat asked the security professionals what takes up most of their time each day, they chose as follows:

  • Security vulnerabilities introduced by my own application development team (35%)
  • Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems (33%)
  • Phishing, social network exploits, or other forms of social engineering (31%)
  • Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements (30%)
  • Accidental data leaks by end users who fail to follow security policy (26%)
  • Sophisticated attacks targeted directly at the organization (20%)
  • Polymorphic malware that evades signature-based defenses (14%)

The number one concern — targeted attacks — is in sixth place among daily time demands. The second concern — social engineering — dropped to third place, and the third concern — accidental leaks — was fifth.

Security concerns vs. budget priorities

The disparity continued regarding budget priorities. Only 26% said targeted attacks take up the largest portion of their IT security spending, co-equal to accidental leaks, the third original concern. The second major concern, social engineering, was here in fifth place. Not surprisingly, compliance was in third place for budget priorities, knowing the emphasis that managements and boards place on it.

Here were the budget selections:

  • Accidental data leaks by end users who fail to follow security policy (26%)
  • Sophisticated attacks targeted directly at the organization (26%)
  • Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements (25%)
  • Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems (23%)
  • Phishing, social network exploits or other forms of social engineering (22%)
  • Security vulnerabilities introduced by my own application development team (21%)
  • Polymorphic malware that evades signature-based defenses (15%)

Security woes in the near future

Security pros in attendance said, predictably, that the Internet of Things (IoT) was the biggest concern they expect two years from now, with targeted attacks in second place. The survey authors pointed out that IoT was neither a budget priority nor a major part of current time spent.

Here are the top seven future concerns:

  • Digital attacks on non-computer devices and systems — the IoT (36%)
  • Sophisticated attacks targeted directly at the organization (33%)
  • Espionage or surveillance by foreign governments or competitors (26%)
  • Attacks or exploits on cloud services, applications, or storage systems used by my organization (24%)
  • Attacks or exploits brought into the organization via mobile devices (22%)
  • Polymorphic malware that evades signature-based defenses (22%)
  • Phishing, social network exploits, or other forms of social engineering (22%)

73% of conference goers believed that they will have to address a “significant compromise” in the coming year. When asked what the weakest link in their enterprise IT security was (in other words, the likeliest point of entry), respondents said:

  • End users who violate security policy and are too easily fooled by social engineering attacks (33%)
  • A lack of comprehensive security architecture and planning that goes beyond “firefighting” (20%)
  • Mobile device vulnerabilities (9%)
  • Cloud services and cloud application vulnerabilities (7%)
  • Signature-based security products that can’t recognize new and zero-day threats (7%)
  • Vulnerabilities in internally-developed software (6%)

Staffing, media coverage, and management views

Staffing, with the corresponding ability to counterattacks, is also on the minds of security professionals. Only 27% of respondents felt that they had enough security staff. 51% indicated they could use “a little more help,” and 22% said the number of employees is inadequate.

Very interestingly, security pros at the conference believed that the views of management and the media were different from theirs.

  • 41% said the media has exaggerated the issues of US government surveillance.
  • 27% felt there was too much coverage of hacktivists and political cyberattacks.
  • 26% said that social engineering and phishing do not get enough coverage in the media and at industry events.

Regarding management views, attendees said their leadership has a greater concern for malicious insiders (29% vs. 17%, respectively). They also said that management had significant but lower concerns for targeted attacks (44%) and social engineering (29%).

TechRepublic, ZDNet, and Tech Pro Research are CBS Interactive properties.