As attacks grow more sophisticated, some security budgets are rising...but others are not, reports Alan Earls.
According to the Bible story, after Moses and Aaron spoke to Pharaoh to seek release of the Israeli people from servitude, the Egyptian leader not only refused, but seeking to make things worse for the enslaved, ordered that his overseers withhold the straw used to bind the river clay being made into bricks, tasking the workers to gather the necessary material themselves. In other words, the Israelis were given a difficult task that was then seemingly made all but impossible.
Folks in charge of security could probably empathize. While warnings are coming from almost every quarter about worsening cyber threats, many organizations are as yet unwilling to loosen their purse strings very much, if at all. It's a situation that is prompting both concern and efforts to do more with less.
A recent report from Aite Group, “Cyberthreats: Multiplying Like Tribbles,” projects a near doubling of financial losses from hacker takeovers of business accounts between 2011 and 2016. And that's based just on estimated losses from one type of attack. Indeed, according to Julie Conroy (below), the firm's research director, because the threat environment is moving fast, organizations need to invest in making the cost of breaching their security more trouble than their data is worth. “The trajectory of the growth in cyber threats is truly daunting,” she says. “We are at war with the bad guys and they are winning.”
Picking up the theme, Lawrence Pingree, a Gartner research director, warns: “The militarization of the internet will force security providers to enhance their technologies to create intelligence aware security controls (IASC).” In his view, many organizations still have yet to recognize the gravity of the situation. Some do, he says, though he says more can be done to address the evolutionary threats we all continue to face, such as advanced forms of malware and web security. Those threats, in turn, will require emerging technologies that go beyond what current compliance mandates often require. Furthermore, says Pingree, organizations will finally need to concede that manual processes and responses will not be sufficient to combat threat actors and their evolving tools and methods.
Breaches of compliant organizations have abounded this year. These enterprises need to resuscitate their programs around reducing risk through machine-based response and orchestrated security management based on intelligent adaptive security controls that are capable of learning from each other. For those reasons, Pingree says IASC is a concept Gartner will be focusing on more during 2014.
All that means spending money. Pingree says organizations will need to seek tools that do not operate in silos, and they will need to focus their efforts on incident response and risk rather than just compliance.
But compliance isn't going away. Ed Gaudet, general manager of the Cortext Products Group at Imprivata, a provider of health care IT security solutions, says the medical organizations that he works with have been spending more money, but they typically view security as a subset of compliance. “IT has budgeted for everything from privacy controls to single sign-on, but that has largely been driven by the fines associated with HIPAA,” he says.