Symantec Corp. (Nasdaq: SYMC)
and the Ponemon Institute, a leading privacy and information management research
firm, today announced the findings of a joint survey of IT professionals. The
survey revealed that most organizations lack the procedures, policies and tools
to ensure that sensitive information they put in the cloud remains secure.
Despite security concerns and the expected growth in cloud computing, only 27
percent of respondents said their organizations have procedures for approving
cloud applications that use sensitive or confidential information.
In most organizations, large gaps exist between those currently evaluating cloud
computing vendors and the IT and security business leaders that should ideally
be responsible. Of the organizations surveyed, 68 percent indicated that
ownership for evaluating cloud computing vendors resides with end users and
business managers. Only 20 percent of the organizations surveyed reported that
their information security teams are regularly involved in the decision making
process and approximately a quarter said they never participated at all.
However, 69 percent of the respondents indicated they would prefer to see the
information security or corporate IT teams lead the cloud decision making
process.
The survey found that employees are making decisions without their IT
departments' insights or full knowledge of the security risks involved. Only 30
percent of respondents evaluate cloud computing vendors prior to deploying their
products.
Additional Survey Findings:
· Organizations evaluate cloud services by word of mouth (65 percent),
contractual agreements and assurances from the vendor (55 percent and 53
percent, respectively). Only 23 percent require proof of security compliance
such as SAS 70, 18 percent rely on in-house security assessments and just six
percent rely on third-party assessments by security experts or auditors.
· More than 75 percent of respondents noted that the migration to cloud
computing was occurring in a less-than-ideal manner, due to a lack of control
over end users. Lack of resources to conduct proper evaluations, lack of
leadership to oversee the process and the low priority for evaluations were also
factors.
· Only 19 percent of the respondents indicated that their company provides
general data security training that discusses cloud applications. In addition,
42 percent of the respondents noted that their company offers general data
security training that does not specifically discuss cloud applications.
Please contact me if you require further information.
