The Securosis 2010 Data Security Survey
This morning Imperva published a survey produced by Securosis: the Securosis 2010 Data Security Survey. It is a fascinating work, but I suspect that it will be of more value to security vendors than security buyers – it is, in short, an analysis of perception rather than proven reality: it is a compilation of what security practitioners believe works for them.
In fairness, the report doesn’t actually claim to be anything else:
The Securosis 2010 Data Security Survey is designed as an early step towards providing security managers and practitioners with practical information on the perceived effectiveness of major data security tools and techniques. The results are based on the responses of over one thousand security and IT professionals within organizations of all sizes.
So when you read the report keep that phrase ‘perceived effectiveness‘ in mind. Where a particular security control is not included, you need to ask yourself whether this is evidence of absence or an absence of evidence.
Two examples. Firstly, there is not one single mention of anti-virus or anti-malware as a security control in the entire report. Why is this? Is it because AV is not considered relevant, not considered effective, not used at all, or so all-pervasive that its value goes without saying? There is no way of telling.
Secondly, according to the survey, “Email filtering is the single most commonly used control, and the one cited as the overall least effective.” Is it actually the least effective, or just perceived to be the least effective. Could it be that it is invisibly effective for 90% of the time; but the 10% of failures is all that people notice? Again, there is no way of telling.
So here’s my problem with this report. If you are a vendor, it’s brilliant. You know where to concentrate your efforts. If you sell DLP and full-disk encryption, recruit some more salesmen and get out there: DLP and encryption are perceived to be good.
But if you are a small company with not too much in-house security expertise, this report could actually be dangerous. You will be tempted to think, well, the professionals don’t rate anti-virus or email filtering so I won’t bother with those – I’ll spend all my money on data leak prevention. The danger is that smaller companies might be tempted to use this survey as an inexpensive alternative to a proper risk analysis. And that would be a bad thing.
Having voiced these concerns, provided that you keep that word ‘perception’ in mind, it’s worth taking a look at the report. As Imperva’s Amichai Shulman says, “This survey will help security teams identify what their peers find successful and hopefully help make improvements to their own strategy and operations.”