This article can also be found in the Premium Editorial Download "Information Security magazine: The China Syndrome: Security factors to consider before buying Chinese IT."
Download it now to read this article plus other related content.
For the past several years, security has remained a game of perimeters and scanning, despite frequent protestations that the perimeter is dead and static virus scanning won’t catch today’s customized and polymorphic malware. The shift away from old-school defenses is now more visibly underway, according to our latest IT security trends survey of your priorities, worries and plans for 2013’s security initiatives.
This survey, concluded at the end of last year, included responses from 1,882 participants and showed more skepticism than ever about static signature scanning, concerns about mobile and cloud technologies, and openness to newer security technologies. Fully two-thirds of U.S.-based respondents working for organizations with more than 1,000 employees said they were “evaluating new threat detection technologies such as sandboxing, whitelisting and others.” And the good news is, many of them will have more money in their budgets this year to fund implementation of these technologies.
As an aside, many security practitioners may be pursuing these newer technologies at new jobs. A separate IT Salary study conducted by TechTarget across all of its technology properties included approximately 200 practitioners who indicated IT security, compliance, risk management or disaster recovery as their primary role within the organization. Of those indicating a security or compliance role, only 25% were satisfied with their current job. And only 22% planned to stay in their current role over the next three to five years.
The respondents in both surveys, we should note, are well-seasoned. We’re focused on the Security Purchasing Intentions 2013 survey in this report: Globally, 36% of respondents had more than 10 years’ experience. Within the U.S. and at larger organizations, security practitioners with more than 10 years of experience account for 47% of respondents.
Inside you’ll find:
- Budget projections
- Is it still a hands-on job?
- Mobile issues lead respondent concerns
- App-aware firewall penetration
- Cloud security meets resistance
- Quick cuts of other key concerns
Nearly One in Five U.S. Enterprises To See Budget Increases Of More Than 10%
The good news globally is that this year’s budget, at a minimum, won’t be smaller. It may be flat—roughly 40% of U.S. enterprise respondents reported that no changes were expected year-over-year in their budgets—but only 7% of enterprises and 9% of smaller businesses expected a decrease in this year’s budget.
Worth noting is that the Asia-Pacific (APAC) region had a decided bias toward budget increases, with only 16% of respondents reporting flat projections and 63% reporting budget growth. If one further narrows the results down to focus exclusively on India, fully 72% of respondents reported their budgets would grow for 2013.
We should take a moment to say who the survey respondents were: a total of 1,882 security professionals who were not employed by or affiliated with IT or security vendors took the survey worldwide. Common job titles for survey respondents included information security officers, directors of information security, security staff, risk analysts, and the like. Thirty-six percent of them had more than 10 years of IT security experience. They were widely spread across various industries, with financial services being the most heavily represented at 15%.
Takeaway: Globally, 49% of respondents said security budgets were projected to be up in 2013.
Geocache: 19 percent of all APAC respondents say their budgets are up 10+ percent.
The Job May Be Shifting, But So Is The Technology Mix
We have sometimes wondered whether security is more about abstract concerns like “controls” or more about hands-on configuration and packet sniffing (whether adding firewall rules, running reports against access logs, or checking alerts from the intrusion detection system (IDS)). Two questions we asked gave us the sense that there’s a shift, but not such a large shift that it’s somehow no longer a technical job. Smaller organizations report a slight majority, saying there’s no shift away from technical issues; larger organizations are more or less split on the question. Configuration and technology still play a role for three quarters of survey takers, however, regardless of the size of the organization where they work.
The kinds of technologies they’re likely to grab hold of come configuration time, however, seem to be shifting markedly. Confidence in static scans for known signatures seems, by now, to be heavily eroded, with only half of respondents believing such technologies are effective. Perhaps even more indicative of change in the wind, a fifth to a quarter of respondents, when asked to look five years ahead, said they don’t see traditional antivirus in the picture.
Takeaway: Approximately one in five respondents said they aren’t necessarily going to remain committed to antivirus over the next five years.
Geocache: 46% of Americans said defending against nation-state attacks like Stuxnet is a priority. Only 24% of Europeans held the same view.
Mobile’s A Top Concern, MDM Is of Interest
When asked what the top priority was for next year, enterprise security respondents worldwide saw compliance as the clear winner, while those at organizations with fewer than 1,000 employees ranked viruses and malware as their top concern. In terms of specific, game-changing technologies, though, mobile was a top priority globally, except in Asia-Pacific, where it ranked well behind cloud security as a concern.
Survey participants reported that they had significant influence in mobile initiatives within their organizations: only 23% of those in the U.S. said they had no role in mobile rollout (it was 20% elsewhere).
Top priorities for mobile security this year (in priority order): antivirus (we don’t get it either), authentication and encryption.
In terms of broader control over mobile devices (including but not limited to security concerns), there’s definitely traction for mobile device management (MDM), particularly in larger organizations. Half of U.S. organizations with more than 1,000 employees are evaluating MDM this year; roughly one quarter of the respondents are using MDM already.
Takeaway: The top security concern worldwide across all sizes of business is compliance, followed by viruses and malware. Top technology issue, however, is mobile security.
Geocache: Top mobile initiative in all global regions is antivirus.
Application-Aware Firewalls Split Between Basic Port Filtering and Granular App Controls
There’s probably more than one way to think about the “next-gen” firewall, but what we asked about in particular in our survey was the “app-aware” firewall, a firewall that looks at traffic with an awareness of which applications are involved in which sessions. Because of their greater complexity and the higher demands they make on processing power, these firewalls can be tricky to deploy with success, but 43% of respondents globally report that they use them.
It’s worth noting, however, that of that 43%, 21% said they are using these firewalls only for basic port filtering. One could argue this is basically missing the point of the exercise. Twenty-two percent reported they are using app-aware firewalls in lieu of using a stateful firewall; the rest of those using next-gen firewalls are using them in conjunction with a stateful firewall.
Next-gen firewall vendors should take note, by the way: 18% of those not deploying next-gen firewalls claimed “vendor misrepresentation of capabilities” as an impediment to adoption.
Takeaway: Integration was the primary issue respondents cited as an impediment to deploying next-gen firewalls.
Geocache: Twenty percent of respondents globally are “inclined” to use cloud-based firewall administration services.
Both Cloud-Specific Security Solutions And Security Services Delivered By Cloud Meet With Resistance
On the one hand, our respondents said they had a lot less influence over cloud deployment than they had where mobile is concerned. Twenty-one percent reported they can “recommend or specify” their organization’s cloud projects, compared to 57% who make recommendations for mobile security technologies. What’s interesting, though, is that 22% reported they can “reject or delay” projects based on security concerns.
Globally, 44% of the survey respondents are evaluating products designed to secure cloud servers and data—the percentage is somewhat higher in the U.S. Overall, 15% of respondents currently use some sort of cloud-specific security tool, with 33% reporting they have no plan to use cloud security technologies (principally because their organizations aren’t using the public cloud).
As for moving security processes to the cloud, there’s a fairly high degree of resistance. Thirty-five percent said they’d consider disaster recovery as a cloud service, but 57% reported they simply don’t want to outsource security.
Takeaway: One-fifth of respondents said they can put the brakes on cloud projects when security concerns loom.
Geocache: 27% of respondents in Australia and New Zealand said they use cloud-specific security tools, compared to only 15% in the U.S.
Quick Cuts of Other Key Concerns
We asked our wonderfully patient survey pool a lot of questions, nearly ninety in all. That’s more than we can cover here, but here are a few additional key findings.
This was first published in January 2013