Senior information security executives are so busy reacting to organisational and compliance requirements that their security departments appear to be locked into a reactive cycle that leaves little time for forward thinking.

The latest (ISC)2 research report, based on responses of more than 1,600 c-level executives from enterprises around, the world analyses the paradox between what keeps this group awake at night and how they are able to spend their time, with many admitting they have been unable to get ahead of their top most security concerns. John Colley, Managing Director, (ISC)2 EMEA reports.

The new report ‘A View From the Top - The (ISC)2 Global Information Security Workforce Study CXO Report,’ conducted through the (ISC)2 Foundation, was prepared in partnership with management consultants Booz Allen Hamilton and analysis given from the Frost & Sullivan firm, Stratecast. It highlights numerous examples where c-level executives are aware of threats, but have been unable to put measures in place to tackle them adequately.

Application security, for instance, is rated as the topmost security concern by 72 per cent of respondents, yet only seven per cent of them actually spend time on facilitating secure software development. Clearly, these senior executives are cognisant that software applications - be they for their core systems, mobile phones, PCs, iPads, tablets or online - represent the biggest attack surface for their companies, yet application security continues to be an after-thought for developers.

The report further highlights that application vulnerabilities are only detected when or after an exploit has occurred. For example, the exfiltration of sensitive data, suggesting little is being done to address the risk of introducing vulnerable code before an application is placed in operation. This is not a new concern, but the leaders in information security have yet to be able to devote their time, attention and obvious leadership in the field to help overcome this problem.

In the same vein, the proliferation of mobile devices has been transforming the workplace for many years. These gadgets continue to be seen as a security threat by 70 per cent of this group of respondents, appearing above malware (68 per cent), hackers (55 per cent), cloud (48 per cent) and cyber terrorism (39 per cent). Many admit, however, that they have been unable to successfully implement mobile security policies and programmes.

Fortunately, spending priorities are being directed towards mitigating security risks associated with the trend to embrace bring your own device (BYOD). Further, BYOD, was identified by 56 per cent as an area where they feel training needs to be provided. Other areas where senior security executives see the need for training include cloud computing (57 per cent) and information risk management (53 per cent). While it is encouraging that investment is planned, these are all areas that they should have been anticipating for some time. The lag in investment here is indicative of a reactive stance that this report suggests many senior executives have fallen into.

How do senior information security executives spend their time?

About three quarters of the senior managers participating in the study spend most of their time on governance, risk management and compliance policies (GRC). They are, in other words, setting standards and procedures and auditing against IT security compliance. This is particularly true of security executives in banking, finance, insurance sectors and government.

There seems to be little scope for getting ahead of the curve and understanding the trends - technology, business and threat - that affect the organisations’ security posture at any given time. In fact, only about 30 per cent said they spend significant time understanding new technologies.

Regulatory activity is growing on a national and international level as governments and regulatory bodies work at pre-empting attacks, which is to be expected. However, it is well accepted within security practice that any organisation that is consumed with security compliance management, will not be doing enough about the security itself.

Further, the regulatory landscape, in documenting how to secure against attack, provides the ‘How-to’ manual for the attackers as well. An organisation that focuses on compliance with regulation alone is effectively communicating their security posture to the outside world.

Part of the challenge lies in the fact that there just are not enough people to get the job done. Given the rapidly evolving threats, senior executives categorically state they are short-staffed. The key restraint appears to be business conditions a lack of budget or structure to support the people required. However, they also identified that finding the skilled information security professionals required is a challenge, underlining the need for an influx of new talent in the field.

For our relatively young, traditionally technology-focused discipline, an understanding of what skills are required may not be widely known. The leadership in this report told us that they view general business and organisational skills of nearly equal importance as knowledge and technical skills in terms of attributes of a successful security professional.

Ninety three per cent of senior executives believe communications skills are imperative; for a close 92 per cent it’s a broad understanding of the security field; for 85 per cent it’s awareness and understanding of the latest security threats; and 83 per cent feel technical knowledge is important or highly important. That being said, despite feeling the strain of a shortage of trained personnel, more c-level executives plan to increase spending on technology in the next year (39 per cent) than on staffing (35 per cent), which was another interesting paradox to note.

When asked what concerns drive investment in security overall, the c-suite overwhelmingly cites the desire to curtail damage to their enterprise’s reputation, with 83 per cent of respondents focused on this concern. Worries here feature well above service downtime (74 per cent), theft of intellectual property (58 per cent) and reduced shareholder value (49 per cent) - all areas known to have a more direct impact on the financial performance of their organisations.

Overall, industry should be aware of the substantial inconsistencies between what senior security executives believe to be important to achieving the highest level of security and how they actually spend their time. It is vital that they be given the room to maintain a focused and strategic perspective on security as they undoubtedly balance the pressures of existing business demands and the extremely challenging threat landscape.

John Colley, CISSP, is the Managing Director of (ISC)2 EMEA & Co- Chair of the European Advisory Board for (ISC)2, a non-profit professional consortium which has certified over 90,000 members worldwide. John has 20 years’ experience in information security. He has formerly held posts as Head of Risk Services at Barclays Group, Group Head of Information Security (CISO) at the Royal Bank of Scotland Group, Director of Information Security at Atomic Tangerine and as Head of Information Security at ICL.