Security Think Tank R&D-SSI publishes the results of a survey on the security of Information Systems Security
July 2012 by Association R&D-SSI
The association R&D-SSI, a think tank for the promotion, research and development of information system security, has conducted a survey with the endorsement of network security company, NETASQ, to gauge corporate IT security awareness among its associates. Covering 3 key areas including i) the perception of the threat ii) the perception of security solutions available on the market today iii) survey respondents opinions on the security within their own company.
The survey was conducted during a meeting to launch the R&D-SSI association. 47 participants, all of whom are within the information security market, including consulting firms, IT service companies, consultants, service providers, end users, corporate customers, publishers, IT solution vendors, professional associations, value-added distributors, communities and the gendarmerie.
Results revealed an interesting picture of security awareness, with 92% of those surveyed believing that the security threat level is higher now than it has been recently, but crucially only 57% thought they were the actual target. This clearly means that even if there is an awareness of a threat, it does not necessarily mean that it is perceived as an immediate danger, especially for 43% of respondents. The most serious threats are those arising from user negligence or ignorance where mobility, cloud usage and cybercrime are concerned. Generally speaking, the presence of the pervading threat grows daily and logically, it is the most sensitive departments of the company such as the HR or finance department that will be more prone to being the potential targets of malicious acts.
As for the perception of the security solutions available on the market today, those that mainly inspire little or no confidence are in relation to cloud security, mobility management, access control, data protection and the protection of the client workstation, with 64% stating that security solutions today did not respond to threats related to these technologies. Indeed these results tally with those on the perception of threats and the list of the next technologies that the respondents are thinking of deploying in the coming months.
It is clear, that several network or peripheral security projects could be implemented around specific ISs (industrial, HR or financial) and that the area of mobility would require the implementation of better security devices.
Overall, most of the respondents had mixed opinions on their companies and all of them added that if what has been achieved so far to ensure security actually produced results, there was still a lot of work that needed to be completed.
16% of those surveyed felt that their company’s level of maturity in dealing with security problems was excellent, but 11% thought their companies did not feel sufficiently concerned about future threats. As for the investment in the IS’s security, 26% thought the investment was too low compared to the high stakes involved. 37% felt that their companies complied only partially with legal requirements.
The management of personal data (Privacy by Design) is considered only partially, or even inadequately, taken into account:
Fully: 3 %
Not at all: 13%
N.B. Percentages of total number of participants. Total numbers lower than 100% as some responses were not given
Pierre Calais, president of the association and NETASQ’s Engineering and Operations Vice President, concluded: “This survey reveals a lot about organisations expectations in terms of security governance, certifications or “security labels”. Furthermore, it has also enabled the detection of great apprehension regarding privileged users and more widely, users of the IS where their new methods of use such as mobility and the cloud are concerned. More thought needs to be given to these themes – and fast!”
Presentation of the survey
Aim of the survey The aim of this survey was to set out ISSMs’ needs, their awareness of information security and all topics that may come under scrutiny in working groups set up by R&D-SSI.
This survey was carried out on December 8, 2011 during the meeting to launch the association and gathered 47 participants, all of whom are players in information security – consulting firms, IT service companies, consultants, service providers, end users, corporate customers, publishers, IT solution vendors, professional associations, value-added distributors, communities and the police forces.
Created in December 2011, the association R&D SSI currently has 10 members. The aim of the association is to create added value. By gathering institutions and players involved in supply and demand as well as in research, it positions itself on the launch of solid projects. Through the interconnection of service providers and publishers, this nonprofit association hopes to stimulate the market by creating a breeding ground for ideas that will result in the launch of projects adapted to the market. These projects will then be proposed for development in a cooperative mode by one or several companies in the North of France.