One of more maddening aspects of being an IT security services provider is the approach organizations take to IT security. In theory, a raft of revelations concerning security breaches should have organizations begging for additional IT security expertise. But a new survey of 500 IT security professionals conducted by CompTIA finds that half of them think the security technologies and processes they have in place today are good enough to protect them.
Yet, the survey also finds that satisfaction with existing security products remains below 50 percent. When the two numbers are considered together, it shows that there is a surprising amount of inertia that providers of IT security services need to overcome. The simple fact of the matter is that there is still a lot of complacency when it comes to IT security despite the near daily revelations concerning one breach or another.
Companies in denial
IT professionals clearly have a high opinion of their own security capabilities. What most of them fail to take into account, though, is the fact that most cybercriminals prefer to seek out the path of least resistance. Most breaches today exploit relatively simple vulnerabilities that are well known, so many IT professionals chalk up breaches to human error rather than seeing it as another example of a significant rise in the level of threats they face. Cybercriminals manage their operations like any other business. They only exert the amount of effort required to accomplish a task because time is money—even for cybercriminals.
For these reasons, providers of managed IT security services need to focus more on educating both IT professionals and the business leaders they work for on what the true level of risk really is. While advances in IT security awareness have clearly been made, business executives tend to think of IT security as an exercise in risk management.
But, just because business executives are more aware of the risks involved it does not necessarily follow that they're willing to spend more on IT security. In fact, many new digital business initiatives go forward in the forlorn hope that cybercriminals won’t discover how vulnerable the organization really is.
Proving an organization's vulnerability
Naturally, the single most effective way to dispel an organization of its security illusions is penetration testing. The challenge many IT services firms face, however, is not penetrating an organization’s defenses, but rather getting them to fund the penetration testing in the first place. Of course, an IT services firm may want do that test for free if they're confident this exercise will lead to additional services revenue. The cost of penetration testing often winds up getting buried into the larger deal once a services contract actually gets signed. But for an IT services provider to put in all that effort, there needs to be confidence that the penetration testing is going to lead to additional opportunities.
The simple truth of the matter is that despite the level of confidence most internal IT organizations may have about security, the vast majority are poorly trained. That’s not their fault. But given the fact that pride is usually the first thing to fall, it’s up to the IT security provider to make sure there are only few gentle bruises made to the ego of the internal IT staff by making that landing as soft as possible.