Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Organizations Struggle with Data and Application Security Budgets & Strategies

Report Shows Organizations Continue to Lack Communication and Understanding of Data and Application Security Strategies.

A trio comprised of Application Security, Inc., Unisphere Research, and the Oracle Applications Users Group (OAUG) today released its 2011 Data Security report, “Managing Information in Insecure Times.

Report Shows Organizations Continue to Lack Communication and Understanding of Data and Application Security Strategies.

A trio comprised of Application Security, Inc., Unisphere Research, and the Oracle Applications Users Group (OAUG) today released its 2011 Data Security report, “Managing Information in Insecure Times.

The poll of 430 Oracle Applications Users Group members revealed that the greatest challenges they face around application and data security, are primarily organizational and budget related. According to the survey, fifty-three percent of respondents said that budget was the greatest hurdle to their information security efforts. I can’t say this is at all surprising. Information Security professionals have been challenged with budget constraints as far back as we know and have always had to battle for increased budgets.

We all know the best way to get that budget increased, is to get hacked. Unfortunately, that could also result in you losing your job and having the increased security budget end up in the hands of your successor.

IT Security ChallengesAdditionally, the report showed more than one-quarter of respondents citing disconnect between IT teams and executive management as a major impediment to implementing proper security measures. The report notes that the challenge for many companies isn’t necessarily finding and installing the right security technologies. The common problem is that IT managers often find it difficult to convince corporate management of the need to take preventive and proactive measures. As one respondent, a systems architect with a large high-tech firm, observes, “In times of economic stress, performance and security go out of the door and are the ones to get cut first. However, this is short-sighted and can result in significant losses, but perhaps help get that security budget back and maybe even more? Almost one out of four pin the blame directly on management complacency.

Along with budget constraints and disconnect between IT and executive management, results of the survey show that another issue is outright lack of understanding of threats. Thirty-three percent claimed a lack of understanding of threats prevented them from rallying support for countermeasures. While this wouldn’t be surprising if the poll was from a broad IT audience survey, I would expect Oracle Applications User Group members to a bit more savvy on the threats surrounding application security.

“First of all, management should try to understand the security threat and its impact to business,” advises one respondent, a DBA with a large mining company. “Then, management needs to align the system to business needs and requirements, as well as practically decide for the budget, which should include funds for security re-engineering.”

Company War Games

Some companies, however, are taking creative approaches to both raise awareness and identify potential vulnerabilities. One respondent, a manager with a large financial services group, for example, says that his company addresses security vulnerabilities by staging a series of what it calls “war games,” in which a user or group of users is tasked with trying to compromise a system, while another user or group of users is tasked with preventing the break-in. These corporate war games seem be similar in scope (but with a higher level of sophistication) to something like the “CyberPatriot” competition where students compete virtually against their peers to learn to defend computer networks from real-life computer threat scenarios.

Advertisement. Scroll to continue reading.

“Given the increased number of threats and the acceleration of database attacks, the failure of organizations to support and implement proactive data security measures is a formula for disaster,” said Thom VanHorn, Vice President of Global Marketing at Application Security, Inc.

Other findings in the report include forty-five percent of respondents seeing some risk in the rise of “private cloud” computing and having concerns about the security implications of sharing data and application services outside of their business units. While cloud computing continues to be a growing industry trend, three out of four have not defined a strategy for cloud security. The study found that forty-three percent of the respondents were most-concerned with passing compliance audits, however, only fifty-six percent have successfully passed audits most or all of the time, while thirty-six percent are unsure on their standing.

Additional Key Findings from the 2011 Data Security Report:

• 91% are unsure of the costs associated with data breaches

• 48% declared that human error is the greatest challenge to information security, followed by a tie for second place (30%) between insider threats and accidental loss of storage media device

• 14% of respondents are deploying databases in the cloud

• 53% stated that budget was the greatest impediment holding back information security efforts, while 33% claimed a lack of understanding of the threats

• 43% believe that they will see a better alignment between business IT security, and IT operations because of compliance while 38% anticipate improved accuracy and security of its organization’s financial reporting data

• SOX, HIPAA, and PCI-DSS are the key compliance initiatives being addressed by respondents, respectively.

• 78% conduct periodic compliance audits

• 55% Monitor Production Databases for Security Issues, with 31% taking advantage of automated tools

“This OAUG ResearchLine report points to a troubling lack of awareness and funding support by management toward application and data security. The OAUG is committed to raising awareness throughout the enterprise of the serious vulnerabilities that currently exist and encouraging action that treats security as a required strategic investment,” said OAUG President Mark C. Clark.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.