Organizations that focus on security processes and not products will be able to lower their total information security budgets while simultaneously improving their overall level of protection, Gartner claimed today.
The analyst firm estimates that, by 2010, only one-in-10 new emerging security threats will require the deployment of a tactical, best-of-breed solution, compared with eight-in-10 in 2005.
Consolidation and convergence of security functions onto security platforms will have the greatest effect in terms of overall cost reduction over time, according to Gartner.
But technology is only part of the story. Collectively, the ongoing improvements in process discipline of the IT organization is identified as the second largest contributor to spending less and being more secure.
"As information security threats and technologies for dealing with them mature, these activities should be turned over to the operations side of the IT organization," said John Pescatore, vice president and distinguished analyst at Gartner.
"An information security organization should be focused on new emerging threats and technologies. This requires the information security team to 'let go' of the more routine, mundane threat protection technologies and focus on what they do best - effectively addressing new threats."
"To get more secure and spend less, enterprises should focus on process, not products," added Neil MacDonald, vice president and distinguished analyst at Gartner.
"Businesses should increase the efficiency of the security program either by reducing the percentage of revenue that goes toward security spending or increasing the amount of protection from established security spending levels and also increase the effectiveness of the security program, reducing the number of successful incidents or providing security controls that don't interfere with business missions."
Gartner defines four security processes - network access control, intrusion prevention, vulnerability management and ID/access management - and the interfaces between them as being the key to improving security effectiveness and efficiency.
"The rest of the business is moving to a process-focused discipline of measurement and management, why shouldn't we expect the same from information security?" MacDonald said.
"When new threats emerge, have your processes defined and map solutions to this as necessary. This discipline helps to avoid different groups duplicating efforts and purchasing point solutions for each new threat."