Billions of Dollars in Infosec Spending Wasted on Legacy, Network Security

The Vormetric 2016 Data Threat Report published in January 2016 provides valuable insight into trends in encryption and data security. The 2016 report surveyed over 1100 global security executives in mid-market and large enterprises across federal, retail finance and healthcare markets.

In 2015 the incidence of breaches increased and the volume of records breached doubled over the prior year despite increased security spending. The report highlights a critical thinking gap, as security executives continue to equate compliance with security. “Compliance does not ensure security,” according to Garrett Bekker, 451 Research senior analyst and the report’s author.

Compliance Does Not Equal Security

“As we learned from data theft incidents at companies that had reportedly met compliance mandates…being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen.”

But they found that organizations don’t seem to have gotten the message, with nearly two thirds (64%) rating compliance as very or extremely effective at stopping data breaches.

Investments in IT security controls were also shown to be misplaced, as most are heavily focused on perimeter defenses that consistently fail to halt breaches and increasingly sophisticated cyberattacks.

No Silver Bullets

Despite new tools and techniques in threat detection and analytic tools that create visibility and prevent escalation of attacks, there are no silver bullets. Determined hackers will find a way in.

Encryption of data in motion and at rest and multi-factor authentication everywhere are proven approaches to protect against privilege escalation and data theft, yet they rank near the bottom spending priority.

Security Professionals are like Old Generals Fighting the Last War

Bekker points out that spending tendencies favor what has worked or not worked in the past. This translates into increased spending in traditional network security, SIEM and end-point security.

In a sardonic tone, Bekker suggests that,

“Over time we suspect that the security industry as a whole will come to grips with the fact that perimeter defenses offer little in defending against multi-stage attacks… It’s no longer enough to just secure our networks and endpoints.”

451 Research estimates that nearly $40Billion is spent annually on information security products and the the vast majority of that sum is spent on legacy technologies like firewalls, anti-virus software and intrusion prevention, yet data breaches continue to increase in frequency and severity.

“To a large degree it can be argued that security professionals are like old generals fighting the last war, and our old standby tools are no longer sufficient on their own.”

Mobile, Cloud and Big Data: Driving Change, Creating Complexity

Bekker is not afraid to take a stick to security vendors. 57% of of survey respondents cited “complexity” as the main barrier to adoption of data security, with “lack of staff to manage,” (38%) a distant second.

The implicit message for security vendors is to make products that are easier to use and that require less manpower to implement and manage. Bekker hints that platform approaches vs. point products, as well as automation and more services-based delivery are obvious choices to reduce complexity and staffing shortages.

Pending Data Sovereignty Regulations Push Security into Boardroom

“Despite the Snowden/NSA revelations and concerns about the expiration of Safe Harbor protections, data sovereignty is not yet a top driver for data security.”

With Safe-Harbor dead in the water, what may have more impact is more than 100 national and regional data protection laws. The General Data Protection Regulation (GDPR) currently being drafted by the EU will be universally enforceable under law across all EU member nations. GDPR will have more teeth than its predecessor and mandates firms to not only provide protection of data, but also to prove it via detailed auditing and forensic reporting

Threat Actors

Privileged users, executives and cybercriminals head this year’s threat list; privileged accounts are #1 target of hackers, senior execs are now the #2 target as they have access.

The largest change is the increase in executive management as a potential threat vector (45%) vs. (28%) last year. Executives also typically tend to follow lax security practices and are often the main source of requests for “exceptions” to existing security policies. Given the prevalence of using stolen credentials as a key component of most data breaches, executive credentials are also a ripe target for attackers.

Contractors and service providers, followed by ordinary users rate next in risk to sensitive data.

Barriers to Adoption

Complexity and lack of skilled IT staff are the chief barriers to adopting data security, with an estimated 1 million unfulfilled security job openings.

With cloud, mobile and big data multiplying the attack surface by orders of magnitude, coupled with an assortment of point products to manage, firms are being asked to a lot more with the same or less resources. This is an opportunity for firms to deliver data security and encryption-as-a-service. Vendors that provide security and access platforms that protect cloud, mobile, big data and on-premise apps and devices provide a timely solution to solve a rapidly escalating problem.

Read our white paper describing Centrify’s platform approach to securing identity.