Data protection tops CIO security agenda for 2009

By Linda Tucci, Senior News Writer 13 Jan 2009 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

More information security resources for CIOs Data protection trumps threat pursuit in SMBs' 2009 security spending Employee layoffs pose security risk if systems access not disabled

Over the next 12 months, about one in five security groups plans to pilot or adopt full disk encryption, file-level encryption, a host intrusion prevention system and endpoint control. When combined with the percentage of firms already using these security technologies, enterprise adoption of them will top 50%.

The budgets, which follow a jump in 2008 as well, come with a growing awareness on the part of business executives that security is a business risk, the study showed. But getting the backing of the business on security matters and securing adequate funding remain serious challenges for IT groups. And the day-to-day burden of protecting the company? That remains almost exclusively the province of IT at most places, leaving security teams little time for strategic planning.

"Even though people realize that security is important to the business and security is focusing on protecting the data -- both good things -- organizations still have a hard time understanding how much do we spend, where should we spend, what is the right amount to spend and the kind of projects they should be doing," said Forrester analyst Jonathan Penn, lead author of the study.

The findings are based on responses from 942 business, IT and security executives at companies with 1,000 to upwards of 20,000 employees. The survey was conducted in the third quarter of 2008.

While IT budgets are shrinking, security is getting a larger portion of the IT pie. Companies with 1,000 or more employees will devote 12.6% of their IT operating budget to security in 2009, according to the study. That is almost a full percentage point above the 11.7% of the IT budget allocated the year before, which in turn marked a sharp increase over the 7.2% allotted in 2007.

The recognition among business executives of security as a business risk is due partly to a shift in reporting lines. More than half of IT security professionals (54%) polled by Forrester report to either the organization's board and CEO/president or to an executive committee, the survey showed, compared with 28% who report to IT. Despite the organizational alignment between the security group and business, however, security remains an IT-centric job at most organizations.

The survey showed that responsibility for infrastructure security, identity and access management, threat and vulnerability management, regulatory compliance and even physical security, for example, falls primarily or exclusively to IT security groups. Those tactical duties allow little time for broad strategic initiatives, Penn said.

The security strategizing that is done happens without much input from the business and with only tepid support, he said. More than two-thirds of the firms polled (70%) said other organization priorities take precedence over security plans.

"When you look at the challenges, it is surprising to me that despite the reporting lines, there is still this issue of getting enough executive backing for projects," Penn said.

But the disjunction shows just how hard it is for IT people to articulate the value of security investment in a way that business executives understand, he added. "They need to show that this money is going to give the business some kind of return," he said, as a first step in encouraging the business to help set strategy and develop metrics for measuring security ROI.

Full disk encryption hot for 2009

Meantime, IT security strategy has shifted pretty dramatically in the past few years, Penn said, from a focus on threat defense to protecting an organization's data assets. Indeed, data security was the highest priority for 90% of IT security organizations, surpassing threats cited in the past like malware (ranked sixth of 11 security issues) and regulatory compliance (ranked seventh). Application security (86%) and disaster recovery and business continuity (81%) came in second and third on the list.

The focus on data protection represents a "pretty healthy approach" to security, in Penn's view. Rather than following hackers' latest bag of tricks, IT executives are taking an asset-based approach, determining a company's most important data stores and building defenses around them.

"There is a growing recognition that the focus should be on what the attacks are actually doing to business assets, rather than looking at the kind of attack, per se," he said.

The adoption of threat management tools is still greater than endpoint data protection technologies. But investment in data asset protection is definitely accelerating. Full disk encryption leads the client security technology portion of the shopping list, with 22% of respondents saying they plan to pilot or adopt it in the next 12 months.

IAM, managed security services growing

In another notable shift from years past, firms told Forrester that security -- not compliance -- is driving their adoption of identity and access management (IAM)

There is a growing recognition that the focus should be on what the attacks are actually doing to business assets, rather than looking at the kind of attack, per se. Jonathan Penn analyst, Forrester Research Inc.

technologies. Although the expense (38%) and complexity (30%) of IAM is a concern, 15% to 21% will pilot or adopt a range of IAM technologies in the next 12 months. In the IAM arsenal, enterprise single sign-on is grabbing the most attention, with 21% of firms planning to pilot or adopt it, followed by provisioning (19%).

The survey also showed that large enterprises are increasingly going to managed security services to find specialized skills (29%) and reduce costs (28%). While email/Web content filtering is the most popular managed service today, vulnerability assessment and host event log monitoring/management show the greatest promise for growth in the next 12 months. The percentage of companies planning to outsource these areas would nearly double the percentage already using these services.

"We think of managed security services as something that people turn to just for cost savings," Penn said. "But we are seeing pretty strong adoption of managed security services across both SMBs and enterprises, and a lot of it has to do with the skills shortage. People are unable to find staff with the right skills, or in some cases, don't want people with those skills and find it just as effective to outsource it."

Tags: Enterprise information security management,  IT spending and budgeting,  Strategy: Preparing for corporate data protection, NAC, security,  Cost-cutting strategies for CIOs,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs IT spending and budgeting IT leadership and strategy guides for CIOs Gartner's top 10 strategic technologies for 2010 Recession squeezing IT disaster recovery budgets Latest cloud computing trend: End users buying IT as a Service How will IT outsourcing play out in companies' recovery plans? Enterprise risk management quiz for CIOs IT insourcing can bring jobs, cost savings back in-house, experts say Seeking affordable DR in Azerbaijan: IBM, SunGard, are you listening? Managing IT spending cuts: Don't take the easy way out, CIO advises SOA success stories involve business process management Strategy: Preparing for corporate data protection, NAC, security Data protection in the cloud: What's good enough? Mobile data protection options for enterprise CIOs Seven tips to improving enterprise data protection Network access control evaluation tips: NAC systems insights for CIOs

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary