EY has released its Global Information Security Survey 2014. The survey, published every year, focuses on the issues facing information security pros for the coming year. Many of the trends identified in the report are trends that Forrester has seen evolve in the past two years. At the same time, these trends are accelerating. I am one analyst that is reluctant to paint information security with the fear, uncertainty, doubt (FUD) brush, but after reading the EY report I am not sure that FUD is inaccurate. We live in challenging times and the EY report validates this assertion. For example the research shows:
- Attack power on the part of adversaries continues to grow. The capabilities and attack power of the adversary are on the rise. Criminal syndicates, hacktivists, and state-sponsored attackers top EY's respondents' list of top attack sources. This is not surprising based on the level of political instability in the world and the financial gains cybercrime can provide criminal groups derived from cybercrime.
- Organizations are in battle with outdated weapons and strategies. Business today is using a set of outdated strategies and technologies to combat adversarial groups that are well financed and supported using some of the best offensive technologies available. These groups are well trained in the use of social engineering and technical cyberattack craft.
- Organizations continue to see a dissolution of the perimeter. Mobility, outsourcing, cloud computing, and third-party consulting agreements continue to poke holes in companies' perimeters. All of these issues point to the need of a more flexible defense that uses a variety of smart detection and protection methods.
- Organizations lack essential cyberskills. This is a pervasive issue that continues to plague commercial enterprise, government agencies, and service providers. Because many organizations historically underinvested in cybersecurity and because the skills needed for this area of practice are so varied it is difficult to find and hire skilled people.
- Organizations are unaware of the threats they face. Many attacks take months to detect. According to the EY research, 65% of the 1,800+ respondents say that real-time insight into cyberrisk is not available.
This research tracks very closely to Forrester's own Forrsights® security research. It is definitely worth taking a look. You can download the complete report here.