Security budgets are holding their own – even in the toughest economy since the Great Depression, reports Illena Armstrong.
Reports of shuttered businesses, mammoth layoffs, home foreclosures and sagging consumer spending have become routine. Common enough, in fact, that a quick internet search can find throngs of organizations presenting websites keeping scrupulous count of the dismal figures. In contrast, quite a few economic experts assert that the protracted financial bleakness of the time is starting to fade away.
Its unhurried pace to depart, though, is leaving many an executive leader glumly distrustful of the future. Budget reductions, slashes to personnel numbers, employee pay reductions, the shelving or all-out elimination of assorted projects and other cost-cutting measures are still raging.“The economy is having a huge impact on my company – a state government,” says Kris Rowley (left), systems security director for the state of Vermont. “There are layoffs, cutbacks, hiring freezes and so forth. I do not see an end to this in the near future. We are maintaining our security stance by focusing on what we have in place and using the budgets we do have very wisely to get the biggest bang for our buck.”
Yet, even in the face of the worst economic period since the Great Depression, corporate chiefs are comprehending that protecting their customers' personally identifiable information, as well as securing their own intellectual property, is compulsory. Boon or bad times, information security is essential to any organization's continued success and profitability.
“I expect to see information security budgets either holding their own or increasing slightly as overall IT budgets decrease a bit,” says a CSO at a global manufacturing company who requested anonymity. “The IT decline is a reflection of the economy and the IS-level increase reflects the shift or realization of that shift of business processes to the internet and the growing awareness of the need for better security there.”
Considering it one of today's foremost and strategic business imperatives, security and risk planning is a lead concern for many companies. According to the third annual Guarding Against a Data Breach Survey, conducted by SC Magazine and ArcSight with research firm CA Walker, 91 percent of 399 respondents agree that their companies are taking the right steps to prevent customer and other critical data from being stolen, exposed or lost. This number closely echoes last year's data, which showed that 88 percent of 217 respondents thought they were on the right track.“There have been a lot of advances in technology addressing data breach prevention and mitigation over the past few years. If a company implemented or plans to implement even a portion of these tools, then a company is taking the right steps toward data security,” says Rowley. “However, if the question is asked if companies have taken all steps or have made every effort to prevent data breaches, then the current response number [to the survey] would be extremely high. Technology is expensive and in our field, especially in government, money is very tight. One of the first places to lose funding, in both the public and private sectors, is IT.”
Drivers to protect information
Yet, even as financing for the majority of business divisions in most markets has withered – and for some drastically so – some budgets have remained level (about 20 percent of respondents) and a scant few (1.5 percent) actually rose as a multitude of pressures preserved assorted information security projects and plans. According to 76 percent of readers responding to this year's survey, regulatory mandates were the top drivers propelling their companies to better safeguard critical customer and corporate data from theft or exposure. Another 75 percent noted that possible negative impact to the corporate brand or reputation was the main influence, while customer demand weighed in heavily for 41.4 percent. Other respondents said possible profit loss (40.9 percent), executive board demand (37 percent), investor demand (11 percent) and other concerns like corporate cultures, potential lawsuits or moral obligations (nine percent) drove their companies to improve data security.
“I believe these make a lot of sense,” explains Rick Caccia, VP of product marketing for security and compliance vendor ArcSight. “Companies generally purchase security solutions out of fear of attack, loss or fear of monetary fines [from transgressing] regulations. In terms of attack, breaches are often kept quiet, unless there is legal compulsion to disclose. In addition, unless a large public breach hits a competitor, firms in an industry may simply not pay much attention. On the regulatory side, purchase drivers follow a very common path. First, the regulation causes no fines, so few companies pay attention. Next, the regulation starts to bring fines, but they aren't that high and are less than the effort/cost of implementing security solutions, so many firms ignore it and pay the fines. Eventually, the fines become painful enough that firms pay attention.”Regulatory pressures and possible negative impacts to brands will continue to goad corporate executives to pay attention to security, adds the state of Vermont's Rowley.
“In light of the TJX and Heartland data breaches, companies are thanking their lucky stars it wasn't them. No company wants their credibility demolished, or to pay the astronomical financial impact such a breach produces, nor do they want to explain that the breach was caused by something they knew about but did nothing to fix,” she explains.In January 2009, it was announced that hackers had bypassed network firewalls and penetrate the databases of several large companies, including Heartland Payment Systems, 7-Eleven, and Hannaford Brother. The personally identifiable information (PII) of more than 130 million credit and debit card holders is believed to have been stolen. When Albert Gonzalez was charged with for the crimes, he was already in federal custody for his alleged role in hacks of other retail chains – TJ Maxx, Barnes & Noble, BJ's Wholesale Club, Boston Market, DSW, Forever 21, Office Max and Sports Authority – involving the theft of data related to 40 million credit cards. The breach has already cost Heartland tens of millions of dollars in legal costs and fines from Visa and MasterCard, not to mention the damage to the brands' reputations and wariness created for customers.
Facing the threats
For now, however, most information security pros are trying to get by during a period that is no stranger to shrunken workforces. Compared to the previous two years of the Data Breach survey, there are slightly fewer people in IT departments to handle information security and data prevention efforts. While most numbers are somewhat similar to last year, only 2.8 percent of respondents noted having 16 to 25 staff dedicated to information security compared to 6.5 percent last year. On the flipside, 54 percent of this year's nearly 400 respondents note having one to five staff members who undertake information security activities – an increase of about four percent over last year.
Rowley chalks this small hike up to an acknowledgement by some companies that they needed to hire pros to focus on IT security since they probably had only one CISO in place or no dedicated information security employees on their rosters at all. “The companies with a larger pool of security folks may have cut due to budget and will do more with less. The economy plays a big part in the numbers seen in [response to] this question, as does the number of breaches seen over the past year,” she says.And, given the number of data breaches still occurring, questions remain about just how effective current information security initiatives are. A depressed economy hasn't helped either.
“Organizations will likely be facing continued focus on cost management,” warns Greg Bell (left), global information protection and security lead partner at KPMG. “While probably not as aggressive as 2009, 2010 will still be a challenging year for operation and capital budgets. Prioritizing spend, both in terms of project priorities and resource allocation, will be critical for security organizations throughout the year.”Generally, fewer security solutions are being considered for deployment next year as well, with approximately eight percent of respondents to the SC Magazine/ArcSight survey looking to outsource data security. However, 40 percent of respondents expect their budgets related to IT security projects and data loss prevention efforts will increase next year, while 47 percent say it will stay the same. For an unlucky 12 percent, decreases are expected.
“I think in general that the most effective way to avert a breach is to have comprehensive and highly effective data management,” explains Mirixa's Edfors. “This has been a real challenge for most companies and agencies since the majority of them have faced rapid growth and rapid advancements in their technology infrastructures, with planning and management lagging significantly behind.”
Looking for answers
With this trend in mind, readers responding to the survey are focused on a number of solutions to support their efforts over the next 12 months. Some 45 percent are looking to deploy email encryption in the next year, 42 percent are focused on email management and content filtering (which includes spam filters, AV, content filtering and more), 41.4 percent are concentrating on data loss prevention services and technologies, 40.9 percent are spotlighting mobile security tools – from encryption to authentication, and 38 percent are centering their attention on web application and secure coding solutions, respectively. Other technologies being considered are two-factor authentication, secure web services for customers and other categories, like USB monitoring, backup tools and third-party assessments.
These planned technology investments jibe with security-related troubles that often arise during an unsettled economy, says Stephen Fridakis, chief of the IT programs and quality assurance division of IT solutions and services at UNICEF. Primarily, when “job cuts are commonplace,” companies begin paying closer attention to insider threats that crop up with disgruntled workers.“As it is, one of the biggest threats to corporate data and systems traditionally has come from insiders, who, with their privileged access to data and systems, have the potential ability to do more accidental or malicious damage than even the outside attacker. Such threats greatly increase at times when companies concentrate on reducing personnel, allocating more work on already overworked staff and eliminating bonuses and perks. The fear of losing one's job and the stress associated with such an environment develops unpredictability in how one would react when a competitor approaches them to entice them to disclose sensitive information,” he explains. “Technical controls range from trivial monitoring (e.g., who is accessing a system or sensitive information, who is working late hours outside their standard working hours); user provisioning, so access is revoked in a timely manner; and handling of portable devices (laptops, handhelds) and removable media (USB memory sticks, iPods). More sophisticated tools that monitor network traffic to ensure that protected information doesn't go outside in an unauthorized manner will also see increased interest.”
As such, another area of major concern for most organizations is mobile security. End-users rely ever more heavily on laptops, iPhones, thumb drives and iPods to store and exchange data – sometimes critical. Not only do mobile devices get lost or stolen easily, but, as endpoints in a larger corporate infrastructure, they must be secured at the desktop level and the conduits for information exchange must be safeguarded.“I think that the industry on the whole is still trying to determine how to effectively and efficiently deal with the data portability issues while being respectful of the privacy and security requirements,” says KPMG's Bell. “There's a balance that needs to be created for every organization based on their industry and brand requirements. Security is slowly becoming more about facilitating the secure and complete movement and use of data rather than simply data isolation or segmentation.”
Taking the basic security steps should help organizations, he adds. “Increasing awareness of concerns, policies and individual responsibilities is always the most effective step in combating data loss. The theft of mobile devices, monitoring of third-party use of data, and effective monitoring of unauthorized data access are foundation controls, but highly effective."Getting organized
On top of all this, cyberthieves have become savvier and more organized. The strikes they lob at companies are stealthy and, unfortunately for the corporate world, often quite successful. “The issue here is that there is a hiatus in security efforts in many organizations, but there is no slowdown in the efforts of the bad guys -- in fact, quite the opposite,” says Warren Axelrod, a senior consultant with IT security consultancy DeltaRisk, and the former business information security officer and chief privacy officer for the U.S. Trust division of Bank of America.Therefore, a message of what's needed must be conveyed clearly to upper managers to ensure critical data is well protected and information security endeavors get the resources and support necessary. This, of course, falls to industry professionals, many of whom already are communicating the risk management requirements for 2010.
“Security is an ongoing endeavor,” says UNICEF's Fridakis. “We have not been able to add any new staff, and budgets for 2009 were at best flat. We are now attempting to justify some growth in IT security for 2010. This is primarily to ensure that there are enough resources in the budget to invest not only in handling routine maintenance functions, but also for critical upgrades in operating system features, firewalls and remote connectivity. This will enable better work-life balance and features critical to our productivity-strapped operations.”
Fridakis isn't the only one who's showing optimism about his information security budget next year. About 40 percent of SC Magazine readers responding to this year's survey say their budget related to IT security projects and data leakage prevention efforts will increase next year, while 47 percent note it will stay the same. Only 12 percent foresee a decrease.“We are seeing companies starting to spend again. I'm
not surprised by slight budget increases for 2010,” says Rufus Connell, VP of information and communications technology
at research and consultancy firm Frost & Sullivan.
Even though executive leaders are beginning to understand the many risks to their organizations' critical data, there still is some way to go, especially during continuing economic doldrums. Any change in their thinking is marginal when contrasted with the vast threat landscape. Plus, now and probably in the future, business leaders will look at ways to reduce expenses and decide, smartly or not, to take on additional risks.
“My sense is that organizations have implemented safeguards to deal with yesterday's threats and that the bad guys are continually changing the game so that exposures, which did not exist previously, are now opening up,” says DeltaRisk's Axelrod. “What needs to be done is to put more focus on areas that are being inadequately handled today.”
But, in an economic period struggling to improve, IT security executives will find that they may have to continue doing more with less, adds Mirixa's Edfors. “We still need to rely on some pretty old-fashioned concepts, like planning, policy, documentation, change management, configuration and patch management and internal controls,” she says.
And lining up business needs with security requirements will be the goal under which all these other plans and supporting solutions sit. In this way, nascent technologies used to help grow the company's bottom line – but often the culprits introducing vulnerabilities to the network – will be addressed.“The focus on good communication with executives to make sure security priorities and spend are aligned with business priorities and initiatives is always a key step,” says KPMG's Bell. “Some of the most common problems occur when business and security priorities are not in alignment. In some of the new economic models, issues such as regulatory compliance are becoming less a priority, and demonstration of security and privacy techniques to support new business initiatives – improving revenue or margin, or controlling cost – are getting more visibility,” he says.
FEDERAL BREACH LAW: Going national
Individual state data breach notification laws creates a patchwork of directives that leaves many organizations that must comply with them flaying. Over the years, various proposals for federal legislation that would usurp these laws that some 45 states have put into affect have cropped up in the U.S. House of Representatives and Senate.
“The state-by-state framework is a nightmare,” says Rufus Connell, VP of information and communication technologies at Frost & Sullivan. “It makes huge sense to have a national law.”
So far, however, none of these actually have passed. Moreover, whether or not such a federal act would help remains controversial. According to this year's SC Magazine/ArcSight Data Breach Survey, 41 percent of the 399 respondents indicated that passage of a national data breach law would help in their security efforts to protect customer data, while 27 percent said it wouldn't. Another 13 percent noted it would, but probably not enough. Some 55 percent thought it would not impair their moves to secure critical data, but 16 percent said such a law actually would impede or hurt their efforts.
“Apart from the challenge of multiple state laws within the U.S., the task of determining which policies and procedures, technical solutions and configuration settings, and user technical skills transfer and awareness can be used on each jurisdiction. Using a global security framework such as ISO 27001 can be effective in an organization that seeks to establish a security and compliance approach,” says Stephen Fridakis, chief, IT programs & quality assurance division of IT solutions & services (ITSS) for UNICEF. “What is most useful to companies is a set of actionable controls as well as a notification and coordination framework. Laws and regulations tend to be rather prescriptive and cannot become actionable to deliver results.”
Nonetheless, Rick Caccia, VP of product marketing for ArcSight, believes such a federal law would be helpful to organizations in some ways. “A national law will reduce the cost and effort of compliance for companies,” he notes. Yet, whether or not such a ruling would benefit security programs overall is questionable. “It's just not clear that it will actually do anything to increase actual security, since it will likely be weaker than many existing state laws.”
Indeed, if and when such country-wide regulation passes, its effectiveness will depend largely on how its written, what penalties are put in place for non-compliance and how it's enforced.
Warren Axelrod, a senior consultant with IT security consultancy DeltaRisk, and the former business information security officer and chief privacy officer for the U.S. Trust division of Bank of America. “Also, I don't know whether the states would not be able to maintain or introduce more stringent laws of their own.”
On top of this, the current administration – while once trumpeting “grandiose plans for cyber security,” seems to discuss these issues with much less vigor, focusing instead on other issues. As a result, cybersecurity matters are far off from the congressional debates fixed on health care concerns, economic worries and continuous conflicts in the Middle East.– Illena Armstrong
Illena Armstrong, SC Magazine's editor-in-chief, won a 2009 ASBPE Award for editorial excellence for the Data Breach Survey she penned in the issue of January 2008.The Guarding Against a Data Breach Survey 2010 was conducted by SC Magazine and CA Walker Research Solutions. Email notification was sent to corporate professionals and a total of 399 IT/information security professionals completed the survey online between September 16-29, 2009. Results are statistically tested at a confidence level of 90 percent. Results are not weighted.
A more extensive version of the Data Breach Survey 2010 can be purchased for $295. Please contact Katy Wong at firstname.lastname@example.org.