As evidenced by the sessions presented at the RSA Conference this year, the most dominant and unsurprising business priority is protecting data. As a result, executives from companies of all sizes and types are looking hard at what they're doing to safeguard personally identifiable information, intellectual property and other critical informational assets.

The areas of the business proving to be the most targeted by cybercriminals are getting a long, second look by many executives, with companies either in the process of deploying or planning to deploy solutions to address these vulnerabilities. For example, endpoint and mobile security still top priority lists as threats to wireless devices comprising the typical network continue to rise. Too, data leak prevention and identity management/access controls are being reviewed a bit more due to increasing concerns over insider threats. On RSA's show floor, virtualization security was an often discussed topic, as well, given that more and more organizations are looking to experience the cost-savings of running multiple applications, servers or networks on a single hardware-based server. And let's not forget areas like database or web application security.

Corollary to this, organizations' C-level executives also continue to worry about compliance. Whether industry, federal or state mandates, company leaders are looking to come into line with the various standards that affect them without duplicating efforts or wasting resources, time and money. But this goal still proves elusive to many corporate security executives, a majority of whom noted during a recent SC Magazine eConference on PCI compliance that meeting the multiple mandates that touch their organizations in a holistic manner is proving difficult.

Such difficulties are unlikely to abate, especially as tweaks to various regulations and laws drive forward. For example, one state is considering introducing to its data breach notification law an addendum that would require organizations experiencing a breach or exposure to notify those parties affected within seven days of the occurrence. You can recall that when California launched its SB1386, most states followed suit with their own versions. Such is bound to be the case with the addition of time limitations to existing data breach notification rules.

Even as mandates evolve and threats to IT environments progress, however, so too is the thinking about sound information security practices. Yes, it continues to be a game of cat and mouse, but more than ever before, companies are paying attention to the leading vectors of attacks, understanding that it's all about following and safeguarding the data. The biggest trend, then, is that we're now beyond viewing security as an impediment to engaging in business endeavors and the follow-up stage that touted security as a business enabler. Now, for most forward-thinking companies, security means business. It's simply part of the fabric of trade today. Without it, exposure of critical data will rise and brand names topple. So whether regulatory mandates or reputational effects drive you, follow the data and shore up the defenses of all those holes that cybercriminals love to exploit.


Illena Armstrong is editor-in-chief of SC Magazine.