In this series, we examine how the reality of a security program differs from the perception some security practioners hold. To do this, we’re focusing on four specific gaps that can weaken security defenses and instigate security incidents. For example, consider the rising number of cloud breaches caused by engineers disabling basic access control, either by accident or by intention. Why does this happen? More specifically, what perceptions and work routines could enable these kinds of things to happen?
In part 1, we examined three key gaps previously discussed by F5 Labs research in the past year: how incomplete inventory practices lead to weaken risk management, how risk appraisal can become biased, and how risk mitigation can get misaligned from top threats. In part 2, we will explore a new, previously unreported mismatch in cyber security practices.
The CISO and SecOps
As security grows in importance within an organization, security leaders find their reach and governance responsibilities have grown. Two years ago, we published a research report on research report on how CISO’s work with the organization. It showed a growing trend of CISOs moving out from under IT umbrella and into general business risk positions. Overall, we feel this is a natural and an effective evolution of the CISO role—but it is not without complications.
As part of the F5 Labs 2018 Application Protection Report, we commissioned the Ponemon institute to survey thousands of security professionals across the world from all security-related roles within the enterprise. For most of the report, we used either survey answers from security leadership (where leadership questions would apply) or in aggregate between the high-level roles and the technician roles. But this is the first time we have disclosed findings on the gap between how security leaders answered and how technicians answered.
First, however, let’s talk about the survey itself. We asked about individual roles within the organization and used those answers to build a profile showing whether they were a leader, a technician, or both. Table 1 breaks down how this looked.
|Which of the following best describes your role in the IT security function within your organization? Check all that apply.||Overall answers||Role type||Respondents classified “Leader” who picked this role||Respondents classified “Technician” who picked this role|
|Setting IT security priorities||50%||Leader||60%||33%|
|Determining IT security strategy||40%||Leader||53%||17%|
|Assessing IT security risks||60%||Both||65%||52%|
|Developing software applications||28%||Tech||21%||40%|
|Implementing enabling security technologies||52%||Tech||45%||63%|
|Managing IT security spending||35%||Leader||46%||16%|
|Evaluating vendors and contractors||47%||Leader||56%||31%|
|Selecting vendors and contractors||39%||Leader||47%||26%|