Enterprise IT security executives are facing increasingly broad, complex and sometimes conflicting security challenges, the 2013 (ISC)² Global Information Security Workforce Study has revealed.
Executives said preventing damage to their organisation’s reputation and service downtime are their top two cybersecurity concerns.
But when executives were asked how they spend their time, the top two answers were "governance, risk and compliance" and "security management", suggesting administrative tasks and priorities dominate their daily agendas.
"Security executives are faced with so many conflicting priorities and pressures that their decision making has become very stressful," said Hord Tipton, executive director of professional certification body (ISC)2.
"This study demonstrates that many of today’s C-level executives find themselves in constant security Catch-22s. They are frequently faced with conundrums in which there is no single answer, underscoring why enterprise security is so difficult to attain in today’s complex threat environment.”
Lack of trained security staff
Tipton sees the lack of qualified information security professionals as an exacerbating factor.
“Part of the problem is that information security professionals are typically having to take on the work and roles of two or three people,” Tipton told Computer Weekly at the (ISC)2 Security Congress 2013 in Chicago.
Tipton said the study indicates a shortfall of around 300,000 qualified information security professionals this year, which is evidenced by the constant poaching of the top people in the industry.
Another paradox the study found was that, while application vulnerabilities were the top-rated threat to the security of enterprise data, many executives said the demands of their organisations made it difficult to develop and implement secure application development processes.
Mobile security policies
Similarly, 70% of executives rated mobile devices as a top threat to their organisations, but many said they had not successfully implemented mobile security policies and programmes.
Most security executives believe they have too few people on their IT security staff, yet 61% cited business conditions as an obstacle preventing them from hiring more.
But despite concerns about the shortage of trained staff, more security executives plan to increase their spending on technology in the next year (39%) than on staffing (35%).
"Security is a dilemma for information security executives," said Michael Suby, Stratecast vice-president of research at Frost & Sullivan and author of the report.
"Data is proliferating and becoming more fluid, yet the need to protect it is greater than ever. Similarly, there is the challenge of today’s sophisticated attackers, who are becoming increasingly skilled at hiding their exploits. The most significant threat to an organisation is what it does not know or cannot detect."
William Stewart, senior vice-president at Booz Allen Hamilton, said: "It is clear that chief security executives are faced with an array of challenges that cannot be overcome by any single methodology or set of solutions
"One of the biggest obstacles security departments face is the dynamic interplay between an organisation’s business and IT priorities and the rapidly changing nature of the threat environment.
“To overcome this challenge, CXOs need to focus on prioritizing critical assets, closely collaborating with the other organizational leadership and conducting thoughtful and forward-looking threat analysis."