Trustwave has released its 2018 Security Pressures Report based on a global survey of 1,600 full-time IT professionals who are security decision makers or security influencers within their organization. The fifth-annual report delves into the causalities of pressures in-house security professionals face as they strive to keep pace with an evolving threat landscape. Conclusions are based on a year-over-year comparison of 2016 and 2017 data encompassing regional perspectives from Australia, Canada, Japan, Singapore, United Kingdom and United States.
Findings show that a majority of IT and cybersecurity professionals experienced increased pressures in 2017 when compared to the previous year, driven largely by a steep rise in sophisticated malware, continued deficit of high-level security talent and budget constraints. This report marks the fifth consecutive year that pressures have increased year over year. On the flip side, there were a few bright spots. For instance, pressure to rush IT projects before they are security ready is decreasing and incorporation of managed security services to fill resource and technology gaps has gained traction, signalling a concerted effort to address pressures through better practices.
Key highlights from the 2018 Security Pressures Report from Trustwave include:
Security pressures remain high: overall, 54 percent of respondents experienced more security pressures in 2017 when compared to 2016. US respondents cite the most increased pressure at 61 percent, followed by Japan at 55 percent and Singapore at 54 percent. Encouraging however is that 54 percent of respondents on average are more confident than they were five years ago in their ability to secure their organization, while only 15 percent are less confident.
Advanced threats tops operation concerns: although slightly down from 2017, advanced security threats, such as sophisticated malware and zero-day vulnerabilities, still causes the greatest concern at the operational level overall at 26 percent followed by lack of budget at 17 percent and lack of skilled security expertise at 16 percent. Japan felt the most pressure from advanced threats at 38 percent, which correlated with findings that the country is experiencing the highest overall concern over security talent deficiencies at 27 percent.
Falling for the bait: of the most pressure-inducing security threats and responsibilities facing respondents, phishing attacks were the decisive riser, increasing from 8 percent last year to 13 percent, as cybercriminals step up social engineering attacks. Preventing malware (including ransomware), however, remains the top stressor across all regions, accounting for 22 percent of respondents followed by identifying vulnerabilities at 17 percent. Surprisingly low on the list for a consecutive year at 11 percent is detecting malicious activity and compromises. While anecdotally organizations are shifting away from prevention-focused security strategies, these findings may indicate a lack of internal resources necessary to address threat detection at a level that would increase pressures.
Direct managers turn up the heat: overall, C-level executives, board members and business owners are exerting the most pressure on IT and security teams, accounting for 39 percent of total respondents, down, however, from 46 percent in 2017 and 69 percent from two years ago. Singapore leads at 58 percent and is a full 17 points higher than the United Kingdom, which places second. Pressure from direct managers has jumped eight points since 2016, accounting for 27 percent of total respondents – a positive development as those most closely connected to given security outcomes are appropriately exerting the pressure.
Slow and steady wins the security race: the tide is turning against the practice of rushed deployment of IT projects before security due diligence is adequately applied. At 42 percent, down a full eight points on average across all regions, IT security professionals felt less pressure to roll out projects before security concerns were addressed. Australia, Canada and the United States experienced the largest pressure relief in this category. Canada led overall with 59 percent of respondents agreeing they felt no pressure to hurry along projects.
GDPR compliance causing concern: the prospect of heavy fines for non-compliance with the Global Data Protection Regulation (GDPR) for any organization handling personally identifiable information (PII) of European Union citizens resulted in 26 percent of respondents citing the new mandate as the key source of compliance pressure, just a single point behind Payment Card Industry Data Security Standard (PCI DSS). Surprisingly, nearly a quarter of total respondents are not feeling any compliance pressures, pointing toward the likelihood of increased security maturity, in which case compliance challenges are less frequent.
Managed security services gaining traction: among the fastest growing responses to increased security pressures is the managed security model that offers a host of technology solutions and security expertise on-demand. 33 percent of overall respondents already partner with a managed security services provider (MSSP) and 45 percent plan to in the future, a five-point increase from 2017. Respondents top three reasons for partnering with an MSSP include: compensating for in-house skill shortages at 31 percent; adopting, deploying and operating hard-to-use security technologies at 30 percent; and assisting with security automation at 28 percent.
“Cybercrime will remain a remarkably lucrative business model for the foreseeable future and, like legitimate industries, will continue to evolve through efficiencies, adaptation and innovation,” said Chris Schueler, senior vice president of managed security at Trustwave. “As this year’s report depicts, it’s this continuous advancement of the threat landscape, coupled with internal resource constraints, causing sleepless nights for those charged with securing assets. But it is encouraging that findings also suggest organizations are shifting away from treating security as an afterthought to focus on practices such as secure code development, frequent security testing, and bolstering internal capabilities through managed service models to ease pressure.”