If half of IT security pros don’t believe they are targets for attack, it’s no wonder that risk management isn’t a priority for organizations.  A recent report from the Ponemon Institute reveals the disconnect that IT pros have between the perception and reality of cyber-threats.  The study also goes on to highlight the discrepancies in the way these professionals address security concerns like advanced persistent threats.

  • Even though 67% of security pros view advanced persistent threats as the type of cyber-attack they are most concerned about, when asked what they would change in the next 12 months to address the problem:  49% said their usage of ATD technologies would either not change (43%) or they would decrease (6%) usage.

Another inconsistency with how security professionals view threats and what they’re doing to improve cyber-preparedness within their organization is that even though 90% of them believe security analytics is essential to maintaining a strong security, only 36% of them are using security analytics.

A bigger question that follows these findings is how can security pros believe they are not possible targets?  Is it because they believe their organization’s data isn’t of interest to hackers or is it their confidence in their existing security process and posture?  Furthermore, if they don’t view themselves as possible targets, then why would any threat, like advanced persistent threats, be of concern?

Working in IT and security means you’re aware of just how changeable technology and software are; the dynamics of networks and vulnerabilities; what it means to have data in a digital environment; and so on and so forth.  An organization can have the best security tools and plan in place, but their CIO’s job doesn’t end there.  Experienced CIOs know that, which is why continuous monitoring and external security audits are a part of their risk management process.  It is also the reason why information security doesn’t only involve technology solutions, but much more.

If the Ponemon report had surveyed CEOs or the board, the discrepancies between perceived cyber-threat and cyber-preparedness could be more understandable.  Organization executives rely on their IT security experts to tell them what threats they face and what needs to be done in order to protect data and their infrastructure.  But being that the report surveyed IT security pros, it’s somewhat concerning to find these types of inconsistencies.

The disconnect between perceived cyber-threats and preparedness don’t help organizations to protect themselves from security risks.  The challenges IT departments face within the enterprise, such as limited budget and the communication gap, still make it tough to understand where the false sense of security is coming from.  However, thanks to industry reports such as these, awareness of the problem is created, which consequently creates room for improvement.

Don’t let a false sense of security come back to bite you.  A security assessment of your environment can ensure there are no unseen vulnerabilities lurking around.  Get ahead of your risks before it’s too late.

Photo courtesy of Tashatuvango