Security Leaders Increasing Frequency of Proactive Assessment to Determine Strengths and Allocate Resources Effectively
SANTA CLARA, CA–(Marketwire – Jul 30, 2012) – RedSeal Networks, the world’s leading proactive enterprise security management provider, today highlighted results of the recent ESG Research Report, “Security Management and Operations,” which found that a growing number of organizations are adopting continuous monitoring to improve protection of their electronic assets and validate compliance with required security policies.
Based on its survey of 315 U.S.-based IT security professionals working at enterprise-class organizations (1,000 employees or more), ESG found that more frequent assessment of infrastructure security is gaining momentum as a best practice and is used by a majority of advanced practitioners. Moreover, it was found that truly continuous, day-to-day monitoring of defensive effectiveness has emerged as a primary security management process among those organizations it classifies as IT security leaders.
Overall, three-quarters of enterprises have a formal risk management program in place that includes continual measurement of changing conditions that could somehow represent an increase in risk to the organization (including the addition of new assets, changes to existing assets, as well as the discovery of new threats and new vulnerabilities), ESG said. The findings were based on such drivers as the alignment of security process with corporate culture, and level of executive involvement with information security management. Over 40 percent of the organizations cited as IT security leaders within the report were already performing some form of proactive analysis every day.
ESG views continuous monitoring as such a strategic element of today’s security management process that it already considers the process as one of the differentiators it uses to distinguish leaders from those it considers laggards. While the practice is taking off among advanced practitioners, as many as 45 percent of all organizations are still only testing their defensive standing as often as twice per month, ESG said.
“Driven by the increasingly dangerous threat landscape, many organizations are now willing to be much more diligent with their testing” and many more will likely soon be doing so constantly rather than on an “as-needed basis,” ESG noted in the report. Meanwhile, only one percent of security practitioners surveyed reported that they have no strategy in place whatsoever to monitor defensive effectiveness.
Adopting the mindset that it’s “critically important” to proactively identify weaknesses within their own networks in order to gain “measurable experience of just how vulnerable they really are” is fast becoming a hallmark of the very best practitioners, said the experts.
“It makes a lot of sense to constantly examine how well your defensive infrastructure is actually performing, as the complexity of layered security, combined with the effect of daily change, makes it hard to assume any level of protection if you do not,” said Jon Oltsik, senior principal analyst at ESG and primary author of the report. “For many years people have done sporadic testing for compliance purposes, but what they’ve found is that by testing far more often and aggressively, they can reduce risk faster and get more out of their available resources.”
“We’ve been hearing from practitioners that manual and partially automated security management, the only available option until now, has become impractical because layered security has become so complex. There’s so much ongoing change to keep up with, they very often don’t even know where exposures exist,” said Parveen Jain, president and CEO at RedSeal. “Continuous monitoring makes sense because for so long we had no idea how to measure success within security management, other than avoiding a breach. It’s a lot smarter to prove you’re addressing these challenges all the time rather than wait for someone else to show your shortcomings at some point when it’s already too late.”
Parallel to the uptick in continuous monitoring, ESG found that most organizations are planning to leverage greater numbers of automated solutions to improve their visibility into risk and performance of their IT security infrastructure, with 56 percent doing so to automate remediation work, including management of firewall-based network security.
The full results of the ESG Research Report, “Security Management and Operations” can be found at: http://www.esg-global.com/research-reports/security-management-and-operations.
The report is available for free to ESG subscribers and available for purchase by others.
Leave a Reply