Organizations Struggle with Data and Application Security Budgets & Strategies

Report Shows Organizations Continue to Lack Communication and Understanding of Data and Application Security Strategies.

A trio comprised of Application Security, Inc., Unisphere Research, and the Oracle Applications Users Group (OAUG) today released its 2011 Data Security report, “Managing Information in Insecure Times.”

The poll of 430 Oracle Applications Users Group members revealed that the greatest challenges they face around application and data security, are primarily organizational and budget related. According to the survey, fifty-three percent of respondents said that budget was the greatest hurdle to their information security efforts. I can’t say this is at all surprising. Information Security professionals have been challenged with budget constraints as far back as we know and have always had to battle for increased budgets.

We all know the best way to get that budget increased, is to get hacked. Unfortunately, that could also result in you losing your job and having the increased security budget end up in the hands of your successor.

Additionally, the report showed more than one-quarter of respondents citing disconnect between IT teams and executive management as a major impediment to implementing proper security measures. The report notes that the challenge for many companies isn’t necessarily finding and installing the right security technologies. The common problem is that IT managers often find it difficult to convince corporate management of the need to take preventive and proactive measures. As one respondent, a systems architect with a large high-tech firm, observes, “In times of economic stress, performance and security go out of the door and are the ones to get cut first. However, this is short-sighted and can result in significant losses, but perhaps help get that security budget back and maybe even more? Almost one out of four pin the blame directly on management complacency.

Along with budget constraints and disconnect between IT and executive management, results of the survey show that another issue is outright lack of understanding of threats. Thirty-three percent claimed a lack of understanding of threats prevented them from rallying support for countermeasures. While this wouldn’t be surprising if the poll was from a broad IT audience survey, I would expect Oracle Applications User Group members to a bit more savvy on the threats surrounding application security.

“First of all, management should try to understand the security threat and its impact to business,” advises one respondent, a DBA with a large mining company. “Then, management needs to align the system to business needs and requirements, as well as practically decide for the budget, which should include funds for security re-engineering.”

Company War Games

Some companies, however, are taking creative approaches to both raise awareness and identify potential vulnerabilities. One respondent, a manager with a large financial services group, for example, says that his company addresses security vulnerabilities by staging a series of what it calls “war games,” in which a user or group of users is tasked with trying to compromise a system, while another user or group of users is tasked with preventing the break-in. These corporate war games seem be similar in scope (but with a higher level of sophistication) to something like the “CyberPatriot” competition where students compete virtually against their peers to learn to defend computer networks from real-life computer threat scenarios.

“Given the increased number of threats and the acceleration of database attacks, the failure of organizations to support and implement proactive data security measures is a formula for disaster,” said Thom VanHorn, Vice President of Global Marketing at Application Security, Inc.

Other findings in the report include forty-five percent of respondents seeing some risk in the rise of “private cloud” computing and having concerns about the security implications of sharing data and application services outside of their business units. While cloud computing continues to be a growing industry trend, three out of four have not defined a strategy for cloud security. The study found that forty-three percent of the respondents were most-concerned with passing compliance audits, however, only fifty-six percent have successfully passed audits most or all of the time, while thirty-six percent are unsure on their standing.

Additional Key Findings from the 2011 Data Security Report:

• 91% are unsure of the costs associated with data breaches

• 48% declared that human error is the greatest challenge to information security, followed by a tie for second place (30%) between insider threats and accidental loss of storage media device

• 14% of respondents are deploying databases in the cloud

• 53% stated that budget was the greatest impediment holding back information security efforts, while 33% claimed a lack of understanding of the threats

• 43% believe that they will see a better alignment between business IT security, and IT operations because of compliance while 38% anticipate improved accuracy and security of its organization’s financial reporting data

• SOX, HIPAA, and PCI-DSS are the key compliance initiatives being addressed by respondents, respectively.

• 78% conduct periodic compliance audits

• 55% Monitor Production Databases for Security Issues, with 31% taking advantage of automated tools

“This OAUG ResearchLine report points to a troubling lack of awareness and funding support by management toward application and data security. The OAUG is committed to raising awareness throughout the enterprise of the serious vulnerabilities that currently exist and encouraging action that treats security as a required strategic investment,” said OAUG President Mark C. Clark.