IT security pros lack confidence in preventing cyber attackers from stealing high-value data and say upper-management lacks an understanding of the potential losses, a global study shows.
The findings of the survey, sponsored by Websense and conducted by the Ponemon Institute, point less to a need for technology and more to a lack of shared intelligence on cyber threats and poor communications between security pros, CEOs and board-level executives, Jeff Debrosse, director of security research for Websense, said Tuesday.
[ It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The survey of nearly 5,000 IT security pros in 15 countries, including the U.S., found roughly six in 10 convinced the organizations they worked for were not adequately protected against advanced cyber attacks. About the same percentage felt the same when it came to stopping the theft of confidential data.
The lack of confidence is expected, given that no security products are capable of building an impenetrable wall against attacks, Debrosse said. To bolster confidence, security pros should share attack intelligence to get a better understanding of their foes and how to defend against them.
"We can get a lot better at what we do once we start to formalize and come up with an acceptable vetting process to share information between organizations," Debrosse said.
Progress towards more information sharing between organizations has been slow, due to fears that rivals would use the data for competitive advantage, experts say. Companies often require layers of non-disclosure agreements that hamper efforts.
Government information is also hard to get due to fears of compromising national security.
Most private data shared today is between large organizations within single industries. In 2013, President Barack Obama issued an executive order requiring federal agencies to share more information with critical infrastructure owners and operators. Efforts in that area are ongoing.
As to the relationship between a company's leaders and security pros, eight in 10 of the latter believe upper-executives do not equate losing confidential data with loss revenue, the survey found.
Other recent Ponemon research has found that the average cost of a data breach within an organization is $5.4 million. But despite that potential loss, nearly half of survey respondents said board-level executives had a "sub-par understanding of security issues."
Executives often do not have a grasp on the state of defenses in an organization because security pros will describe problems in esoteric terms, Debrosse said. Security techs also tend to have "a bias that if you don't speak my techno-lingo, you must not be bright."
To clear this hurdle, both sides have to take into account each other's expertise in solving security problems. Executives have to get a fuller understanding of the risks associated with cyberattacks, and security pros need to focus on the cost-effectiveness of the approaches they take in locking down data.
This story, "Survey: Execs clueless, security pros unsure in fighting cyber attacks" was originally published by CSO.