451 Research Security Analyst Garrett Bekker.
451 Research Security Analyst Garrett Bekker.

In a classic case of putting the cart before the horse, too many organizations are deploying emerging technologies before they can shore up appropriate levels of data security, according to a new report from Thales e-Security and 451 Research.

Released last Thursday, the 2017 Thales Data Threat Report contains the results of a survey of more than 1,100 senior executives, 63 percent of whom affirmed that their enterprises are not adequately ensuring data security before implementing new technology solutions. The greatest number of executives expressed concern about this risky practice when deploying software-as-a-service platforms, infrastructure-as-a-service solutions and mobile applications. Platform-as-a-service technology, big data and IOT platforms generated the next most concern, respectively.

Container tools such as Docker are another technology that some companies may be pursuing prematurely. Almost 40 percent of respondents said that they are already actively using the technology for managing production applications, even though 47 percent of those polled said that security concerns were the top barrier to its broader adoption. (Fifty-three percent named encryption and related data security tools as the top remedy for such concerns.)

"I've seen this over and over through my career. A new technology comes along and companies are in a rush to deploy it because they feel it'll give them a revenue boost or an edge on the competition," said report author and 451 Research Principal Security Analyst Garrett Bekker, an interview with SC Media. "They get pressure from senior management, perhaps, to get this thing rolled out and they... don't think up front about the security implications."

In other findings, 73 percent of respondents said that they anticipated an increase in security spending over the next 12 months – a sharp rise from 58 percent in 2016. Compliance (44 percent) remained the most commonly cited reason for spending budget, but on a more ambitious note, 38 percent of respondents said that their primary motive behind security expenditures is to follow best practices.

Despite trends pointing toward increased spending, 26 percent of surveyed executives admitted that their organizations experienced a breach in the last year, up from 21.7 percent in 2016 – a finding that led Bekker to question if companies are spending on the right solutions.

“Overall, the research suggests that the security industry looks increasingly like a dog chasing its own tail – despite more and more money spent on security each year, our collective problems continue to worsen,” wrote Bekker in the report. “One possible explanation for this vicious cycle is that organizations keep spending on the same solutions that have worked in the past but are no longer the most effective at stopping modern breaches.”

Bekker told SC Media that this trend amounts to an "emperor-has-no-clothes moment" for the security community.

Nearly 68 percent of the surveyed executives said that their organizations have been breached at some point, an increase of almost seven percent over 2016.

This year's survey also added a new question about data sovereignty, particularly in anticipation of Europe's General Data Protection Regulation (GDPR) taking effect next year. Among the surveyed executives, 64 percent said they intend to use encryption to comply with local privacy and security regulations such as GDPR, while 40 percent said they plan to use tokenization. (Respondents were allowed to name more than one tool.)

“Enterprises today must inevitably confront an increasingly complicated threat landscape,” said Peter Galvin, vice president of strategy at Thales, in a press release. “Our world, which now includes the cloud, big data, the IoT and Docker, calls for robust IT security strategies that protect data in all its forms, at rest, in motion and in use. Businesses need to invest in privacy-by-design defense mechanisms – such as encryption – to protect valuable data and intellectual property and view security as a business enabler that facilitates digital initiatives and builds trust between partners and customers.”