Black Hat attendee report highlights the mess we're in

Black Hat USA's just-published, first-ever attendee research report snapshots an industry exploding with growth that still hasn't solved its most pressing problems.

Surveying nearly 500 top-level security professionals - all past attendees of Black Hat USA -- the report reveals a disturbing spending gap in enterprise information security resources.

The full report is in this .PDF download link: Time to Rethink Enterprise IT Security.

Last year, Black Hat had over 8,000 attendees. This year, as Review Board member and former Black Hat General Manager Trey Ford described this year's upcoming conference (starting August 1),

Standing in the conference space at Mandalay Bay, you will have 9,000 people wearing Black Hat badges nearby, over 180 researchers presenting content, and 160 vendors who have invested heavily in the event.
As a content-led event, this is the largest professional hacking event of its kind.

The survey reveals a serious shortage of IT security resources in the days ahead.

While nearly three quarters (73 percent) of respondents think it likely that their organizations will have to deal with a major data breach in the year ahead, a majority also feel that they do not have enough budget, staff, and training to handle the load.

Only 27 percent of respondents said they feel their organization has enough staff to de­fend itself against current threats.

As we reported last year, it's still a seller's market for hackers.

Previously:

• Cybersecurity's hiring crisis: A troubling trajectory
• How infosec hiring lost its way: Harsh findings in Leviathan report
• Cybersecurity hiring crisis: Rockstars, anger and the billion dollar problem

An overwhelming 94 percent of security professionals think they'd have no trouble finding a different job, and while most say they're happy in their current positions... nearly two thirds (63%) say they would consider a job proposition from a different employer.

The hiring crush is facilitating more than "rockstar" problems. It's creating crews in need of training: While 36 percent said they have the skills they need to do their jobs, 55 percent said they could use a bit more training, please.

Despite the deep pockets of some organizations, the fight to get decision makers to make security budgets a priority is still a nagging concern.

Only one-third (34 percent) said their organization has enough budget to defend itself against cur­rent threats.

The "S" word: Sophisticated

The shift in mindset to breach preparedness over the last year may have started a good trend in the way organizations survive (and possibly thrive) throughout a breach event.

Nearly 75 percent of Black Hat's survey respondents think it's likely their organizations will have to deal with a major data breach in the next year.

However, it's still disturbing as hell that only 27 percent of the security workforce feels their organization is equipped to defend against current threats. That's bad, dear reader. Really bad.

There's a running joke within infosec communities -- no, not the "blame China" one. It's the one where the word "sophisticated" is used in place of accountability...

But for 57 percent of the survey's respondents, the thought of an actual sophisticated attack directly and specifically targeting their organization does indeed keep them up at night, and was cited as their "greatest" concern.

Worryingly, only 26 percent indicated that mitigating these attacks were among the top three security spending priorities in their organization. Further, only 20 percent said targeted attacks were among the top three tasks they spend the most time on day-to-day.

Special Feature

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

Read now

The second greatest concern among respondents was phishing, social network exploits or other forms of social engineering -- it keeps 46 percent of frontline BH attendees awake at night, even though only 31% indicated that they spend a large amount of their time on social engineering.

Yet, only 21 percent indicated their organization spends a large portion of their security budget in this area.

This mess we're in

According to the survey, more than a third of Black Hat at­tendees said their most time-consuming tasks are in addressing vulnerabilities introduced by internally developed software (35 percent) and vulnerabilities introduced by off-the-shelf software (33 percent).

The data suggests that application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.

In light of what's been revealed in the recent Hacking Team news -- where many of their attacks depended on flaws in such software -- this may become a better-addressed issue in the days to come.

Black Hat USA 2015 runs from August 1-6, at Mandalay Bay in Las Vegas, Nevada.

All images courtesy of, and with express permission from Black Hat USA/UBM. Photo credit:Black Hat/UBM Events (Flickr).