The Organizational Disconnect of Information Security

Monday, November 22, 2010

Alexander Rothacker


Recently, Application Security, Inc. released the results of a major report, "Data in the Dark: Organizational Disconnect Hampers Information Security."

Members of PASS (The Professional Association for SQL Server) were polled across 761 organizations to determine their challenges and priorities relative to database security.


The study found that approximately 75% of respondents, the majority of whom are database administrators, are responsible for protecting their organization's database.

Nearly half of the study's respondents said that a database breach would have greater impact on organizational security than any other IT component.

However, about 40% of respondents were unaware of their organization's IT Security spend, with 57% having no idea of the potential cost impact of a large-scale data breach. 54% of respondents said production databases are out of their direct control.

Our TeamSHATTER Analysis

What this tells us is that there is a false sense of reality that is plaguing organizations based on knowledge of, or a lack of knowledge relating to the costs associated with breaches at the database level. 

This poses an enormous problem if two-thirds of the respondents who are saying they are responsible for protecting the database don't understand the impact or costs associated with a breach.

Surprised? Not really, because the full cost of a breach can be difficult to grasp. Fines, loss of reputation, lack of productivity, communication costs, etc. are often underestimated or not fully understood.

Unfortunately, getting breached is not like getting a slap on the wrist. It costs enterprises over $200 per breached record or more.

In another recently released report, Ponemon reports that while the average cost for a breach is $204 per record - in healthcare it's more than doubled to $471 per record.

Summary: Education is the key to understanding the full impact of database security. Here is a link to the report if you would like to check it out yourself:

Download the "Data in the Dark" report

Extra stats that are noteworthy:

  • 66% state that production data within their database environment is located, or consistently being sent outside their organization, contributing to a heightened vulnerability profile.
  • The study reports that 50% monitor the database for changes, but only 20% monitor for privileged user activity. Meanwhile, 35% state they don't know what their capabilities would be in this capacity.
  • Approximately 1 in 3 organizations say that current controls are inadequate when it comes to securing the database.
  • 55% say that their biggest impediment to effectively securing the database is an inadequate IT Security budget.
  • 33% of respondents state that their database environment is audited annually, while nearly half (42%) replied that they are unaware of database audit results.
  • 33% of respondents state that they are not monitoring for unauthorized access or database configuration changes.
  • 65% state that the greatest risk to protecting database assets is human error, implying that a large percentage of organizations continue to rely on manual and error prone processes.
Cross Posted from
Possibly Related Articles:
breaches Databases Data Loss Prevention Poneman Controls
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.