Security Perceptions, Reality Differ-Data security controls still chosen based on anecdote, experience and peer discussions

[Christine Fulgham <christine () opensecurityfoundation org>]

http://www.sundaymercury.net/news/sundaymercuryexclusives/2010/09/05/bungling-west-midlands-medics-lose-12-000-private-patient-records-66331-27203177/

The very nature of data security is one couched in discretion: As a matter
of routine, processes are classified, and specialists in this area rarely
share their company’s state secrets.

Against the premise that the very nature of data security and its associated
risks keep organizations from sharing critical solution steps, insurance and
financial services organizations lack the metrics and raw collection
capabilities necessary to objectively measure and manage this growing
problem.

So say the authors of a new report
<http://www.imperva.com/docs/WP_Securosis_Data_Security_Survey_2010.pdf%20.>based
on the “2010 Data Security Survey” published by Phoenix-based
Securosis<http://www.securosis.com/>.
The report is designed as an early step toward providing security managers
and practitioners with practical information on the perceived effectiveness
of major data security tools and techniques. The results are based on the
responses of more than 1,000 security and IT professionals within
organizations of all sizes and with a heavy emphasis on financial services
and including health insurance as its own category.

“There is a huge gap in the security industry, forcing us to rely more on
anecdote and perceptions than hard measurements,” notes the report. The
study also notes some disparities between the common perception that
security breaches are on the rise and the reality of breach incidence.
"Nearly two-thirds of organizations either didn't know if they suffered any
data breach incidents, or stated that they didn't experience any," the
survey says. "Of those that did, 46% saw a decline in breaches, while 27%
reported the same number of breaches from the previous year."

The survey results indicate that organizations do not invest equally in data
security- financial services and government invest most in data security
personnel, with healthcare, retail, and manufacturing investing relatively
less (note that the authors only performed this analysis for some of the
verticals surveyed).

Other Key Findings
[...]

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Take CREDANT Technologies short survey on cloud usage and security.
Take the survey: http://www.surveymonkey.com/s/TXDR7WT
Respond by October 12, 2010.
Enter to win a $500(US) Amazon Gift Card.