Research conducted by AlienVault has shown that 20% of IT security professionals have witnessed a breach being hidden or covered up. The survey also found that in the event of a breach, only 25% of professionals would see the best course of action as telling the regulator and paying the fine.
“Information security is still a comparatively immature industry,” argues Javvad Malik, security advocate for AlienVault. He fears that the rapid growth of the industry in such a short timeframe has forced security professionals to “make up the play book as they go along, evidenced by inconsistent disclosure practices as well as the ever-changing and complex legal path to navigate.”
The survey’s findings that 20% of IT security professionals have witnessed or been part of a breach being hidden is the prime indicator of the strain placed upon the industry. Malik attributes this to the competitive nature of the technology world, saying “the time and effort it could take to recover from a breach can be significant. Particularly where sensitive data is involved.”
The survey also showed that 66% of those surveyed view a breach as an opportunity to increase the funding for their security departments. According to Malik, this shows that “despite the raised profile of security, it still takes an incident to obtain budgets and raise security.”
Statistics like these are what Malik uses to argue for a much greater support base for IT security professionals, through training and networking, saying “most organisations are coming round to the belief that along a long enough time scale, a security incident or exposure in their product is inevitable.”
When asked if they need to resort to hacker forums and working with black hats to keep abreast of the latest threats and technologies – something that isn’t always legal – over half replied yes. Malik says “support from within the security industry on emerging threat and attacks isn’t sufficient or freely available to professionals liking to access information in a timely manner.”
It is also worth the consideration that it is a case of ‘know your enemy’, and Malik has strong anecdotal evidence of many in the industry believing this is the case.
It is these kinds of attitudes which Malik says needs to be remedied, or he fears “security professionals will find themselves under more pressure to cut corners and bend rules in order to keep the show on the road.” He suggests the culture of the industry should change to one that “accepts, fixes and moves along when they [breaches] do occur.”
(This survey was conducted with 1107 respondents at RSA 2015.)