According to the seventh Global Information Security Workforce Study, released by (ISC)² in partnership with Booz Allen Hamilton, Cyber 360 Solutions and NRI, conducted by Frost & Sullivan, “Technology Sprawl” is the latest concern of two-thirds of 14,000 polled information security professionals from round the world. The people in the Asia-Pacific (APAC) region are found to be more concerned about this ineffective architecture or Technology Sprawl. The Indian firms in the APAC region are the most concerned about infrastructural sprawl – with more than two in five reporting that they are very concerned.
The study of 2015’s edition has reported the highest (45 percent) calculation in terms of spending increase for security technologies. The study has revealed that more than half of the respondents (54 percent) acknowledged that hackers employ phishing as their top scheme.
The study also illustrates that security spending is increasing across the board for technology, personnel and training. Furthermore, companies are also revealed to be investing more in tools and multiple security technologies. As per 32 percent of the respondents, despite this increased investment, threats are evolving faster than vendors can advance their products. Clayton Jones, the Managing Director, Asia Pacific, (ISC) ², has made an assumption that this expenditure will continue to increase steadily in the future.
Clayton Jones said, “Technology sprawl is a result of investing in technology without the consideration of the whole security architecture. This calls for a societal response, which is beginning to happen, but not at the rate that is required to stay ahead of the threats.” As a solution to the issue of technology sprawl Clayton Jones said that companies don’t find investing money to be the sole solution – “A security solution is only as effective as the people who are managing it. Investing in security is one thing, but utilizing the control tools is another. Security processes and tools require a specific set of skills to understand how to use them to the fullest. Therefore, just investing in the tool is not the main point. The right personnel with the right knowledge and attitude are the keys." He explained that if one strategizes and invests in security technologies, personnel and outsourcing, that won’t be enough to turn the tide on reactionary role.
Chuan-wei Hoo, CISSP, Technical Advisor, Asia Pacific, (ISC) ², is also of the same opinion as he shared his thought saying that before applying any technology, awareness and information security training should be implemented. He further added, "Consumers will also have to rely on the respective government entities, regulators, NGOs, and service providers to provide the necessary awareness programme. With a programme in place, we will also need to measure the effectiveness of it. It is imperative that the programme is designed by a certified information security practitioner."
Guiding people through this technology crisis, Mr. Hoo has come up with some basic technology guidelines:
- Keeping software updated in the system.
- Anti-virus and malware (spyware, adware etc) protection enabled and updated.
- Enabling endpoint security, where applicable (eg. Enable desktop firewall for Windows)
- Checking website authenticity and checking if the file is suspicious before clicking or downloading something if it seems fishy.
- Adopting two-factor authentication where possible.