How do you feel about your current IT security strategy? Is it doing what it needs to do? Is it sufficiently funded? Would you do something different if you had a bigger budget? If you did have more budget dollars, where would you allocate them? Would you hire more staff? Would you hire a security professional? Would you invest in new technologies?
There’s seldom time in the day for people in the IT industry to think about their IT security strategies and the “what ifs.” However, looking at the results of surveys does provide the opportunity to look at what your organization is doing compared to what your peers’ organizations are doing That’s one of the things US Signal’s 2022 Security Census offers.
The report summarizes the results of a 14-question survey on cybersecurity and related issues that US Signal distributed to customers and prospects. It provides some general insights into what IT professionals across the country ─ and in a variety of industries ─ are doing in terms of IT security. In many cases, the survey’s results are in line with those of many other IT security-focused studies. Other responses were somewhat surprising.
Few Major Security Incidents; Few Security Professionals
One result we considered surprising ─ only 5% of the respondents had experienced what was considered a major security incident over the past year. Given the statistics provided by other organizations, lucky may be the better word.
The Ponemon Institute reports that 68% of organizations have experienced one or more endpoint attacks that successfully compromised data and/or their IT infrastructure. Statista
noted that 61% of SMBs and 74% of large businesses experienced a data breach in 2021.
Not surprising ─ 45% of the respondents’ organizations had no dedicated IT security professionals and 20% had only one. Budget limitations likely play a role; the shortage of IT security experts probably plays an even bigger one.
The State of Current IT Security
In the realm of “interesting” were the responses to the question about satisfaction with their companies’ IT security strategy and infrastructure. Sixty percent selected one of these two responses: “I love it. When people ask, I’m happy to share our approach and why” or “It’s not bad but if I had more resources, I’d definitely make some improvements.” Another 10% chose “To be fair, I’m not really sure if I should be satisfied or not, everything seems to work.”
Many studies show that most IT professionals are at least somewhat dissatisfied – if not completely frustrated and overwhelmed – by their IT security approaches. That’s understandable given stagnant budgets, workforce shortages – particularly for IT security experts, too many alerts, and not enough time.
All Good for the Most Part
As previously noted, only 5% of the survey respondents said they had experienced what was considered a major security incident over the past year. Other studies indicate that over 60% of all companies have experienced some kind of data breach or other security incidents.
The low percentage could be due to a lack of definition as to what constitutes a major security incident. Nonetheless, the other 95% likely feel confident in how well their IT security approach is working. The majority of respondents (72%) also noted that the perceived importance of security by leadership and users has improved over the last year. That may cause them to feel their security approach has support and, by extension, is working well.
In terms of compliance issues ─ typically a major concern and challenge for IT professionals, more than one-third (35%) of the survey respondents stated they weren’t subject to at least one of the seven primary compliance frameworks listed. If that’s the case, that 35% isn’t dealing with the ambiguities, costs, ramifications of potential non-compliance, and other stressors associated with regulatory requirements and industry standards. They could make them feel more favorable towards their security approach.
However, that percentage seems high given that most organizations these days are subject to regulations regarding data privacy and security. The respondents could have been unaware of their organizations’ compliance requirements. Or their organizations are subject to regulatory requirements or mandates outside those listed.
Staffing Remains an Issue
While the perceived importance of security among leaders and employees was considered high in the survey, security staffing levels didn’t reflect that. Nearly one-half (45%) of the respondents’ organizations had no dedicated IT security professionals; 20% had only one. That may have something to do with why 29% indicated that lack of employee bandwidth for security initiatives is the number one thing holding back their security programs. An insufficient budget to hire and retain knowledgeable staff was noted by 17%, while 21% listed the lack of funds to purchase the breadth or maturity of security needed.
Given the staffing issues, it's surprising that only 14% of respondents listed hiring staff as their most important budget priority for 2022. It ranked as the lowest priority for 37%.
More Insights Available
Highlights of the results were also discussed in a recent Beers with Engineers event that you can view here. Key topics covered from the survey included 2022 investments, managed security services, and critical security controls.
In addition, the panel of IT and security experts from US Signal, Veeam, and Palo Alto discussed issues derived from the survey. Among them: the evolving information security landscape, the common challenges customers are facing, and recommendations for overcoming them. (Hint: don’t underestimate the power of IT security basics.) Tune in
and learn what they had to say about the next cyberattack trend coming after ransomware; Zero Trust; commonly exploited vulnerabilities, and more.
A complete overview of the survey responses is also coming soon. Interested in talking about your company’s current or upcoming IT security needs? Contact us. Call 866.2. SIGNAL or email [email protected].