Government can take greater lead on IT security, says Gartner
Gartner VP warns of worsening cybersecurity, says government can play bigger role
Governments are struggling to find their role in tackling the worsening cybersecurity environment, according to Gartner research VP Greg Young.
Speaking at the Gartner Security & Risk Management Summit in Dubai this week, Young said that the overall security situation is getting worse as organisations face an increasing number of threats across different vectors coupled with a shortage of skilled IT security professionals.
Among the threats to IT security is the ongoing failure to address known security issues, with many incidents caused by exploits of old flaws in systems, although the security industry is more focused on unknown, ‘zero day' threats. Three-quarters of all web servers are not secured properly, and with the rise of mobile devices and the Internet of Things, the number of different systems that can be attacked or used as a platform for attack is increasing rapidly.
"Today things are pretty bad," Young said. "One of the concerns that we have is that when we look at the timeframe, 2014 onwards, it is not only that we haven't got better at securing all these problems, but that the problems that we are finding are more serious; the spike in the criticality, how severe these holes are, is even greater. We are getting a lot worse at security overall.
"As a security person, I have always really disliked FUD - fear, uncertainty and doubt - but a practical look at the facts says this is not a great message," he added.
Many organisations are turning to encrypted communications, which provides a degree of privacy and security, but it is also having a negative impact on security, Young added, and encryption is also being used by attackers. By 2017, more than half of network attacks versus enterprise will use encrypted traffic to avoid detection.
"One of the downsides we are seeing is that a lot of the encryption blinds security technology. Anti-virus and so on that looks for the threats, can't see through encryption. It can make us less secure as well," he said.
Lack of IT staff with security skills is becoming the most severe issue for security, with around 40% of all security positions unfilled at present, with Gartner predicting this could rise to 50-60% within the next few years.
Young said that the issue was not one of spending on security, which continues to increase, but rather that there are simply not enough staff to make effective use of all the security tools and applications that organisations are deploying.
"You can't keep giving the same number of staff more and more tools and expect them to do the task, it is overwhelming them. In some of the biggest attacks we've seen, people had a lot of tools, but it was just too much for them," Young said.