Security Experts:

Survey: IT Security Managers Favoring Performance Over Security

Survey Reveals That IT Security Personnel Are Making Dangerous Security Trade-Offs

With the significant spike in recent data breaches and cyber attacks, organizations around the world are scrambling to implement additional security measures to help develop a strong security posture.

Network Performance vs. SecurityBut according to the results of a recent survey, organizations may be making “security for speed” trade-offs, putting employees, customers, and partners at risk in order to meet business demands.

According to the results of the survey released today by Crossbeam Systems, IT security personnel within large corporations are shutting off critical functionality in security applications to meet network performance demands for business applications. In fact, 81 percent of respondents admit to shutting off security functionality to improve network performance, despite acknowledging that security is more important.

The survey, which polled nearly 500 network security, IT and C-level executives at global enterprises and service providers, reveals the extent to which IT personnel are struggling to address the “speed vs. security” trade-off. Ninety (90) percent of the respondents admit to making a trade-off between security and throughput performance. Moreover, while a majority of respondents (67 percent) agree that if forced to choose, security would trump performance when evaluating a security solution.

“The survey results are another proof-point for what has become a growing issue in the industry - the challenge of managing security performance,” said Chris Christiansen, program vice president, Security Products and Services, IDC. “The findings suggest the problem may be far greater than generally perceived, and it serves as a call to action for IT security personnel to take the time to test their solutions under real-world conditions, hold their security vendors accountable for the performance of their products, and gain a true understanding of their network requirements.”

IT Security Resource: Justifying IT Security: Managing Risk & Keeping Your Network Secure

Other survey findings reveal key factors driving the security vs. performance challenge, including:

IT security personnel are not testing security products under real-world conditions – Survey results showed a surprising 42 percent of respondents did not test the security solutions they were evaluating under real-world traffic loads. Among those that have conducted real-world tests, many of the basic security functions, such as intrusion prevention capabilities enabled with recommended policies, were not included.

“These results are shocking when you consider that most survey respondents come from large, global companies with enormously complex network environments,” said Mike Akerman, chief technology officer at Crossbeam. “The fact that nearly half of the respondents are not doing their due diligence by testing security solutions in real-world environments is surprising when you consider the growing number of threats. However, the more we can educate the market about the issues with security performance and what factors to consider when building a high-performance security architecture, the less IT will have to make difficult choices between serving the business and protecting users.”

Security vendor performance claims are misleading – More than 93 percent of respondents agree that security hardware vendor data sheet performance metrics are misleading, with 58 percent affirming that they simply do not trust the these performance metrics. The result of this market confusion: more than 60 percent of respondents admit they have been forced to purchase additional hardware for a security solution to address the disparity between what vendors claimed their products could do and reality.

“In an economy with tightening budgets and close scrutiny of IT projects, misrepresentation of product performance has IT security personnel scrambling to understand how to build a high-performance security infrastructure from the start, rather than throwing more hardware on the network after the fact, which can create additional management problems and unplanned strains on IT resources,” added Akerman.

IT security personnel do not plan for the long term – The massive growth in data traffic demands, caused in part by the use of smartphones, tablets and other personal mobile devices to share multi-media, high-bandwidth content, is forcing IT personnel to anticipate their performance needs years in advance in order to build scalable and secure networks. Yet, survey results reveal a surprisingly low number of IT personnel at major corporations are thinking beyond the short term. Just over half (51 percent) report that they only evaluate their performance needs less than a year to 24 months in advance.

Security products are not being fully optimized – Security products have become more sophisticated and multi-layered in their defenses. While this has helped organizations prevent attacks and protect users, these products have also become more complex to manage. Next-generation firewalls (NGFW), for example, promise to help IT security personnel achieve greater application visibility and control over their networks with a device that integrates functions such as advanced firewalls, intrusion prevention and application-awareness capabilities. However, the reality is that most survey respondents are not using the full capabilities of their NGFW and are, in fact, only using the minimum features. According to survey results, stateful firewall remains the core function being used (91 percent of respondents), followed by NAT (73 percent), IPSEC/VPN (71 percent), and IDS/IPS (65 percent).

“Crossbeam's survey results reflect an unsettling trend for many organizations that implement perceived feature-rich solutions like next generation firewalls and other security products. On paper, they sound impressive, but in reality, they fail to perform or meet real business objectives," said Jeff Sherwood, founder and principal security strategist for the Executive Cyber Institute.

The survey, conducted in June 2011, asked nearly 500 network security, IT and C-level personnel at large global enterprises and service providers across several industries a series of questions about the trade-offs security personnel make between security and performance, and their experiences maintaining performance as they deploy next-generation firewalls. More than 80 percent of the organizations have revenues of $100 million or more, with 50 percent of these exceeding $1 billion in revenue.

IT Security Resource: Justifying IT Security: Managing Risk & Keeping Your Network Secure