As a security professional, I can attest that the lifeblood of any company is the sensitive data it processes. To be useful, this data needs to be connected to other applications; mashed-up with other data sources; and presented to a wide variety of mobile users, business owners, and API endpoints. Protecting this data is the charter of a company’s Information Security team and the responsibility of all employees who work there. It is this dichotomy of “access with restrictions” that makes data security so hard to master, creating risk and opportunity for every company. It’s no wonder that the cybersecurity startup market saw its highest level of funding in 2015: rising to $3.8 billion, representing 238% growth in 5 years.
Last year I worked as an EIR with Scale Venture Partners meeting with CISOs to discuss their most-pressing issues related to their programs and success. Following on that work, Scale partnered with the Ponemon Institute and Informatica to uncover what data security concerns were top-of-mind for security practitioners and how they approached those challenges. Ponemon surveyed 432 IT security practitioners who are responsible for IT security or data protection services within their company. This is the 2rd year of our survey, with some familiar themes and a few surprises. And, because data security was a strong concern in last year’s study, we dove deeper to look at some of the underlying motivations.
What remained the same for security practitioners provides great opportunities for innovators and solution providers. Those who are “fighting the good fight” face a lot of headwind with growing risks of data breach, an expanding attack surface, and inability to measure (or prove) ROI.
Key Findings – What is still keeping us up at night?
1) The top trends forcing organizations to invest in security remain the consumerization of IT (aka “Shadow IT”), including cloud computing and the growth of BYOD, as well as smartphones and tablets. These technologies expand the locations where sensitive data resides, making it harder to protect—but also making it easier for the business to consume and use. This trend shows no sign of slowing down, giving innovators plenty of runway to search for new solutions and giving practitioners choices in how they can protect information appropriate for their context.
2) Despite all of their investments and activities, security teams cannot measure and report their business impact. Only 34% of survey respondents have metrics that report business value or meaningful results, which are ultimately what security teams need to secure financial resources and have business-level conversations beyond technology and the “attack-of-the-day.” Translating security and risk domain expertise into practical business terms and ROI remains a challenge.
3) Data breaches are still a top concern, and are on the rise. This is amplified by a lack of confidence in where their sensitive data resides (almost two-thirds didn’t know), and the struggle to quantify the risk to sensitive data in databases, unstructured files, or big data clusters.
Thankfully, there is strong market fit for solutions that protect data moving to the cloud, both in terms of protection and visibility. New technologies show promise but are early in their adoption curve, while technologies designed to address malware are starting to show signs of maturation.
Key Findings – What was new or different for 2015?
1) Secure Cloud Gateways are hot, with room to grow. In 2014, our survey respondents said cloud computing was a top-risk but very few noted it as an investment area. Around the same time, top IT market researchers were declaring cloud security access brokers (CASB) the #1 spot in their top-10 list of Information Security technologies. Fast forward a year and 40% of respondents declared CASBs as a top security control for the next 3-5 years. This is consistent with the growth in cloud data and mobility—and the associated risks.
2) Behavior-based monitoring technologies still have not been widely adopted. Despite a lot of hype over the past couple of years, users monitoring sensitive data should be the sweet spot for this technology. While only one-quarter of respondents were applying this control to monitor their sensitive data systems, over half (54%) agreed that it should be used to track privileged user access.