As attacks grow more sophisticated, some security budgets are rising...but others are not, reports Alan Earls.
According to the Bible story, after Moses and Aaron spoke to Pharaoh to seek release of the Israeli people from servitude, the Egyptian leader not only refused, but seeking to make things worse for the enslaved, ordered that his overseers withhold the straw used to bind the river clay being made into bricks, tasking the workers to gather the necessary material themselves. In other words, the Israelis were given a difficult task that was then seemingly made all but impossible.
Folks in charge of security could probably empathize. While warnings are coming from almost every quarter about worsening cyber threats, many organizations are as yet unwilling to loosen their purse strings very much, if at all. It's a situation that is prompting both concern and efforts to do more with less.
A recent report from Aite Group, “Cyberthreats: Multiplying Like Tribbles,” projects a near doubling of financial losses from hacker takeovers of business accounts between 2011 and 2016. And that's based just on estimated losses from one type of attack. Indeed, according to Julie Conroy (below), the firm's research director, because the threat environment is moving fast, organizations need to invest in making the cost of breaching their security more trouble than their data is worth. “The trajectory of the growth in cyber threats is truly daunting,” she says. “We are at war with the bad guys and they are winning.”
Picking up the theme, Lawrence Pingree, a Gartner research director, warns: “The militarization of the internet will force security providers to enhance their technologies to create intelligence aware security controls (IASC).” In his view, many organizations still have yet to recognize the gravity of the situation. Some do, he says, though he says more can be done to address the evolutionary threats we all continue to face, such as advanced forms of malware and web security. Those threats, in turn, will require emerging technologies that go beyond what current compliance mandates often require. Furthermore, says Pingree, organizations will finally need to concede that manual processes and responses will not be sufficient to combat threat actors and their evolving tools and methods.
Breaches of compliant organizations have abounded this year. These enterprises need to resuscitate their programs around reducing risk through machine-based response and orchestrated security management based on intelligent adaptive security controls that are capable of learning from each other. For those reasons, Pingree says IASC is a concept Gartner will be focusing on more during 2014.
All that means spending money. Pingree says organizations will need to seek tools that do not operate in silos, and they will need to focus their efforts on incident response and risk rather than just compliance.
But compliance isn't going away. Ed Gaudet, general manager of the Cortext Products Group at Imprivata, a provider of health care IT security solutions, says the medical organizations that he works with have been spending more money, but they typically view security as a subset of compliance. “IT has budgeted for everything from privacy controls to single sign-on, but that has largely been driven by the fines associated with HIPAA,” he says.
Andrew Rose (below), a principal analyst at Forrester Research and author of a recent report called “The CISO's Handbook – Presenting To The Board,” says the unfortunate fact is that security organizations continue to “miss the boat – all the time.” In his view, managers are barely able to keep up with technical developments – a situation that is likely to persist in 2014.
Compounding the problem, he says, is the fact that security management doesn't usually get a seat at the table when important decisions are made that will have security implications – they simply have to figure out how to “deal” after the fact.
“Many organizations went forward with deploying tablets before security became involved,” he says. The same thing happened with virtualization and the cloud, he says. “Security is always late for the game, and then they are trying to do what they can with limited budgets and resources.”
Rose says an ongoing challenge for the year ahead is the weight of legacy security technology. “When developers put up a new company website, they can take down the old one,” Rose says. “Security can't do that – you still need the old technology to do its job.”
Still, Rose says organization may need to scrutinize their investments. “If your anti-virus is not as effective as it used to be, maybe it is time to push back on vendors to lower their license costs,” he says. And in some instance, if the effectiveness is low and the cost is high, it may be time to consider going without or relying on other technologies, he adds.
Based on anecdotal information, Rose says budgets for 2014 seem to be “incrementing,” but it is difficult for outside observers to determine exactly what those budgets are, since every company accounts for them differently. For instance, he notes some organizations include disaster recovery (DR) activities in security. Others might count firewalls, but not DR. “It is probably safe to say that all IT budgets have been hit since the recession while security budgets have usually seen a small increase each year,” Rose says. “But given the growth of the threat, that's cold comfort.”
Furthermore, since security management is often busy simply “putting out fires,” they rarely get to evaluate their situation, formulate plans and make choices. As a result, Rose says he believes the next one or two years will see growth in spending on managed security services as organizations reach for ways to get ahead of the curve. “Getting a hold of competent security staff is difficult, and you must pay a premium for quality, so it may be that companies will try to move more of their security tasks to providers and reserve their people for their most critical tasks,” he says.
He says he detects some additional increases in U.S. budgets because the American economy seems to be coming out of recession more broadly than elsewhere.
And that may be what is driving spending trends identified in a recent study conducted by SilverSky, a cloud security provider, which shows that more than 25 percent of U.S. organizations plan to make big investments in security in 2014. However, according to the company, spending still seems to be concentrated on “tried and true” technologies, such as vulnerability management, web security tools and firewalls. And most respondents – 67 percent – say they continue to deploy all or mostly all on-premise or appliance-based network security solutions, according to the company.
With the immense losses incurred by many organizations in 2013, the case for expanding budgets is clear, according to Pingree “Some organizations are adequately allocating budget, but this varies from organization to organization based on their maturity level,” he says. What organizations need to focus on, though, is trusting in the security teams to provide the right guidance to address the latest threats properly and not ignore the problem because the organization believes it has met compliance requirements, he says.
Brian Contos, chief information security officer within Blue Coat System's Advanced Threat Protection Group, agrees that compliance drivers have gotten the ball rolling. Now, companies are realizing they must take the next step and turn compliance into security. Echoing Gartner's Pingree, he says companies are looking to spend smarter. “Companies don't just want another shiny new thing to put in their rack,” he says. “They want a shiny new thing that will address a problem and perhaps enhance other things you are already doing. They want to be more strategic.”
And, in some cases, they do want to spend. Imprivata's Gaudet, for example, says he believes many medical companies could be considering up to 35 percent budget increases in 2014 – when compliance and security are considered together.
Still, while compliance alone may not be the ideal way to support security activities, Aite Group's Conroy sees compliance as a practical foundation for building budgets and taking action. Furthermore, she notes, new SEC regulations are compelling regulated companies to report on their breach risks and the potential impact a breach could have. “That now brings cyber security to the board level, and with the kind of headlines and disasters that are common it will certainly cause an escalating awareness of the threat,” she says. “Regulated companies now have to make those investments as security spending has become table stakes.”
Similarly, Chris Petersen, CTO of security intelligence company LogRhythm, says he is seeing evidence of more spending, too. “Verticals that have been more compliance-oriented – say, focusing just on PCI requirements – are now looking more at security across the board and at achieving and implementing best practices.
“In the financial sector we are seeing growing investment in critical infrastructure and a significant shift in the budget – from preventative technologies, such as firewalls, anti-virus, and anti-malware, to more spending on monitoring and response,” he says.
Perhaps most significantly, there's movement at the board level. According to Rose's Forrester report, board awareness of security issues goes beyond just regulated companies. In fact, he notes, “CIOs used to report security and information risk issues to the board as part of their IT update. Those days are gone. Executive leaders now see information risk as a key aspect of keeping their organization stable, well regarded, and, ultimately, profitable.”
And it is that shift that may auger most favorably for increased support of security in 2014 and beyond.