Monday, September 01, 2008

Top 10 IT security worries

Last week, Infosecurity Europe published the results of some research they did in relation to IT security concerns. I can't seem to find the original source, but there are stories all over the place about it (here's one example).

Here's the top 10 list, including the percentage of respondents worried about each:
  1. How to prevent data leakage from within an organisation - 69%
  2. How to secure remote, mobile and collaborative working - 58%
  3. Governance risk compliance - get security right to ensure compliance - 56%
  4. Implementing security that supports more cost efficient IT infrastructure - 48%
  5. ID and access management that works - 43%
  6. Building security that is future proof - 42%
  7. How to make IT architectures and strategies more secure - 39%
  8. How can security help IT more agile and aligned with future business needs and growth - 31%
  9. Security in new or emerging markets where infrastructure/networks are hostile - 25%
  10. Assuring common security standards with third parties, customers, suppliers and outsourced activities - 25%
I don't usually give much credence to surveys in terms of the numbers they publish, but this list serves as a decent guide if you want to guage the concerns in the market.

Anyway, I thought I'd give a paraphrased version of the list (from a C-level executive's perspective) to outline what could be driving each concern:
  1. Holy crap, I really don't want to get on this list...or the front page of any newspaper for that matter.
  2. Damn Apple and them iPhones. And can someone tell me why I would want to read my email on weekends via my BlackBerry?! Can't I just use webmail? Oh hang on, that's still remote access.
  3. When are the auditors showing up again? Next month? Crap!
  4. IT costs too much. Can we cut some crap out and call it a security measure?
  5. Why they heck is our Identity and Access Management project still running? We started that piece of crap 5 years ago!
  6. You wanted firewalls. I bought some firewalls. Then you wanted intrusion detection. I bought you intrusion detection. You wanted event monitoring. I bought you event monitoring. Then you wanted access management. I bought you access management. Then you said we had to deal with identities. So I bought you identity management stuff. Then you said we had to audit all this stuff. So we got auditing. Then you tell me our auditors want to check we're compliant with about 50 standards. I bought you that crap too. Then you said we had to secure our applications. I bought all that kit and all this stuff to do with entitlement management. Now we have to worry about data and what people do with it. I'm looking at that crap for you too. What is it going to be next month darn it?!?!
  7. Can someone just tell me why we can't hire enterprise architects that know something about security apart from how to spell it? Our guys just send me whitepapers from software vendors and attend conferences.
  8. Can someone do something about the fact the IT department is still stuck in the 90s? Pleeeeease?
  9. I want to do business in China and Russia. Can someone tell me how not to get hacked?
  10. We don't use standards? What the heck do we pay you people for?!

No comments: