In the recently-published ESG Research Report, Security Management and Operations: Changes on the Horizon, ESG surveyed 315 security professionals working at North America-based enterprise organizations (i.e., more than 1,000 employees).
We asked these folks to define the biggest security management challenges at their organizations. Not surprisingly, the top response (50%) was “budget constraints.” Regardless of whether it is ESG or other research, money is always a problem.
Beyond budget constraints:
- 30% of security professionals said that the security team spends too much time reacting to problems (and not enough time with proactive security management and planning).
- 24% of security professionals said that there was a lack of security skills within the IT department.
- 23% of security professionals said that they had too many security tools.
- 19% of security professionals said that their organization lacks the appropriate level of security intelligence to make accurate and timely decisions.
- 19% of security professionals said that there was a lack of security skills within the security team itself (note: This is a focus area for me, and in my humble opinion, it doesn’t get enough attention).
Here’s the interesting and somewhat alarming thing about this data – it points to problems across people, processes, and technology. Security professionals with inadequate skills, support, or security intelligence spend an inordinate amount of their time “putting out fires.” Furthermore, security management depends upon a potpourri of disparate security point tools that are probably not being used to their full potential due to these other issues.
I often say that enterprise security is in the midst of a paradigm shift. Point tools will be replaced by integrated security architectures. Vendors like HP, IBM, McAfee, Tibco, and RSA will soon look like the Microsoft, Oracle, or SAP of security software. The data presented herein provides another reason why I believe this.
For more information, see the ESG Research Brief, Cloud Computing and Server Virtualization Security Confounds CISOs.