Security Market Segment LS
Wednesday, 07 March 2012 21:55

The IT security perception gap



McAfee's latest security report underscores the huge gap in IT security between perception and reality.


In their latest report, "State of Security," IT security company McAfee reports on their latest research into "how organizations manage their security policies and processes, and what threats are perceived to pose the greatest risk to their business."


The report makes some rather pessimistic findings:

1. Organizations are confident about identifying the most critical threats to their environments and knowing where their critical data resides. Contrary to this assertion, most companies are not confident about quantifying the potential financial impact of a breach, should one occur.

2. Organizational awareness and protection against information security risks is very important. However, one-third of the "Optimized" companies are uncertain about their IT security posture in terms of awareness and protection.  Despite having formal strategic plans, many companies believe they are not adequately protected against information security risks.

However, there are some upsides:

3. A majority of the respondents tell us that as they develop Strategic Security Plans, they include consideration of potential threats and the associated risk to business and financial analysis.

4. Almost a third of organizations surveyed have either not purchased or not yet implemented many of the next generation security technologies that are designed to address current-day threats.

5. Most organizations identify malware, spyware and viruses as major security threats.  This indicator suggests that organizations recognize the pervasiveness of cyber criminals' attempts to compromise their environments.

6. Top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. The lowest priority is to reduce capital and operating expenditures for security infrastructure.

How did the surveyed companies self-assess their security readiness?  Read on.



According to Evalueserve's (the survey company commissioned to perform the research) data, the surveyed organisations self-evaluated themselves as either 'Reactive' (9%), 'Compliant' (32%), 'Proactive' (43%) or 'Optimised' (16%) when it came to assessing their overall security maturity.

Beyond these assessments, the report contains some interesting quotes.  For instance, "Despite stating that they are "Compliant," 29% of the surveyed organizations either do not rehearse incident response scenarios after occurrence of a breach or never undertook the exercise of testing their incident response plans.  Moreover, organizations with a formal security plan display greater prudence in both rehearsing and preparing themselves against any likely breach that may occur."

In addition, "this survey shows as many as 79% of the organizations experienced security incidents in the past twelve months."

Read on for the report's major recommendations.



This extensive report (we have brushed only the surface of it) makes six key recommendations in conclusion.  All of these ought to be incredibly obvious to every organisation, it's a pity they (yet again) have to re restated.

Step up to a higher security maturity level. Only 16% claim to be at the 'optimised' level, and judging by other responses, even this figure is doubtful.  Of course the 9% at the 'reactive' level have a lot of work to do.

Executive involvement is crucial. Too many organisations have no IT security reporting path to the board or to the CxO level.  In addition, while a Strategic Security Plan is generally in place, it frequently comes under the exclusive ownership of the IT team and has neither involvement nor buy-in from the various lines of business.

Test early, test often, and make adjustments as needed. You *do* test your security plans don't you?  The survey showed that 29% of 'compliant' organisations have never tested their response to a security incident.

Use budget allocations wisely.  The survey discovered there was little (if any) difference in the security expenditure between the 'optimised' and the 'reactive' groups.  The only difference was that the reactive organisations were spending the majority of the money *after* an event, not to prevent security incidents.

Use the right tools for the current threats.  There is little point buying yesterday's tools for today's threats; but too many companies are a long way behind the curve in this regard.

Focus on protecting the lifeblood of the company - the sensitive corporate data. Most companies (fortunately) see this as their highest priority.  McAfee (and iTWire) couldn't agree more.

We commend the report to all readers.





As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments