We all know that security incidents of all sizes are increasing, but what about the breaches we don’t hear or know about? According to a new survey from AlienVault, as many as 20% of IT security professionals could have witnessed a breach being covered up or hidden.
And out of those surveyed, only 25% of professionals would see the best course of acton as telling the regulator and paying the fine.
‘Information security is still a comparatively immature industry,’ argues Javvad Malik, security advocate for AlienVault.
He fears that this rapid growth of the industry in such a short timeframe has forced security professionals to ‘make up the play book as they go along, evidenced by inconsistent disclosure practices as well as the ever-changing and complex legal path to navigate.’
‘The survey’s findings that 20% of IT security professionals have witnessed or been part of a breach being hidden is the prime indicator of the strain placed upon the industry,’ says Malik. He attributes this to the competitive nature of the technology world, saying ‘the time and effort it could take to recover from a breach can be significant. Particularly where sensitive data is involved.’
The surveyed also showed that 66% of IT security professionals view a breach as an opportunity to increase the funding for their security departments. According to Malik, this shows that despite the raised profile of security, it still takes an incident to obtain budgets and raise security.
Statistics like these are what causes industry experts such as Malik to argue for much greater support base for IT security professionals, through training and networking, saying ‘most organisations are coming round to the belief that along a long enough time scale, a security incident or exposure in their product is inevitable.’
When asked if they need to resort to hacker forums and working with black hats to keep abreast of the latest threats and technologies – something that isn’t always legal – over half replied yes.
Malik says ‘support from within the security industry on emerging threat and attacks isn’t sufficient or freely available to professionals liking to access information in a timely manner.’