Our survey finds that enterprises are spending big on management systems to meet regulatory requirements.
|Top Security Priorities|
Big Brother is not only watching your security; he is driving the adoption of key technologies that help bring order to the chaos of compliance and management.
"Even though it's a hassle keeping up with the regulations, it's really wonderful because I haven't seen a regulation that asked us to do something that we didn't have to do already," says Wayne Proctor, CISO at Certegy. "What's being asked for are things that I've always wanted to get in the program."
SOX, GLBA, HIPAA, SB 1386, Basel II and scores more regulations have become integral parts of the security lexicon. Since the inception of SOX, enterprises have been racing to beef up their security to improve corporate governance, ensure the integrity of data and prevent breaches that could result in huge fines and, worst-case scenario, jail time.
|The Heat Index|
TheInfoPro interviewed 179 Fortune 1000s about their purchasing plans for IT security products and services. These technologies were then ranked by the immediacy of their planned implementation and level of security spending--the higher the score, the higher the priority and the greater spending level. Here are the top 20 technologies for 2005 and how they compare to 2004's rankings:*
NOTE: No score for 2004 means it didn't make the list last year.
But it's more than just regulatory compliance. Many enterprises are pushing their partners and service providers to adopt tighter security controls to both ensure their own compliance and avoid breaches. This is the challenge facing Certegy, a credit and debit card transaction processing firm that must adhere to SOX in addition to the specific security requirements of the 6,000 banks it services worldwide.
"We're responding to customer demand," says Proctor. "For instance, we participate in the Visa network, doing authorization of people's spending limits. Visa has a reputation to uphold; it needs to be secure. And since everything is networked together, it needs to be assured of the security of its partners."
How are enterprises coping with these demands? In a technology survey of Fortune 1000s by Information Security and TheInfoPro, major technology deployments and plans across all industries are focused on infrastructure and management systems--security information management, identity management and enterprise security management systems--as well as internal security infrastructure improvements.
|Top Technologies by Industry|
SOX and other security regulations' integrity requirements dictate that enterprises know who's on their systems, who's accessing their data and what they do with that data. This is renewing interest in technologies that provide command and control over the entire identity management lifecycle.
Protecting infrastructure and information share the top spot of this year's enterprise security priorities and are the dominant priorities in several industries. Enterprises are moving beyond the traditional paradigm of "keep the bad guys out, let the good guys in," to one of "security experience management"--what users are allowed to do once they gain access.
"We need to know who the users are, what they're accessing and whether what they're accessing is authorized," says Pamela Fusco, CSO of pharmaceutical giant Merck. "I have to sign off that someone has the right to do what he's doing. And when the user leaves the company, we deprovision his account quickly."
Merck has 72,000 users across its global operations and provides hundreds of thousands of partners, contractors, researchers and consultants access to its systems. Provisioning, administering and monitoring user access are top priorities because of regulatory requirements.
Merck's corporate security department has 20 full-time admins devoted to nothing but identity management issues. Like many enterprises in similar situations, Merck is rapidly adopting automated password reset solutions, account monitoring applications and federated identity capabilities. The goals are to easily maintain regulatory compliance, contain the cost and improve the efficiency of identity management, and improve user experience through simplified sign-on.
"One of the biggest issues is the time you have to spend identifying accounts, and decommissioning accounts and passwords," Fusco says. "If there were a streamline methodology--a lifecycle--you wouldn't spend so much time and resources on identity management."
Many identity management solutions are on rapid-adoption curves, despite the complexity of the technology and its associated processes. According to our survey, 39 percent of enterprises use self-service password systems, while another 35 percent plan to deploy them within the next year. The numbers are nearly identical for automated provisioning systems: Enterprises seem to be banking on point solutions rather than integrated suites, which are only deployed in 21 percent of surveyed enterprise and have a shallower adoption curve.
"Getting identity management into one spot, under more control and to report more effectively is our goal," says Patrick Heim, VP of security at McKesson, a global provider of health care products and systems. "Suites are still very complex because they require agents, strict roles and a significant initial investment to get off the ground. Centralizing identity management procedures and processes--the things that most auditors are interested in--into an automated framework is cost effective."
|Spending Priorities by Budget|
Intelligent Risk Management
Beyond knowing who users are and what they're doing, enterprises are gaining a deeper appreciation for what's happening in their infrastructure and driving continued demand for security management products, such as SIM and ESM systems. Enterprises are looking for a deeper understanding of the threats and how they translate into risk, and how to reduce risk through technologies, processes and policies.
"We're not in a position to just jump into new technologies without understanding them first. To mitigate that risk, you must understand it and know how to control it," says Preston Wood, CISO of Zionsbancorporation, a multistate community banking system with 9,000 employees and $30 billion in deposits.
"Before we deploy any control to mitigate a risk, we need to completely understand the risk and the threat. There are various ways to do that: monitoring, profiling, metrics and due diligence," he says. "A lot of the value added is in the control process. We now have a good understanding of what we're going to accomplish and how we're going to provide value to the organization."
SIM and ESM products both enjoy strong adoption rates. SIMs are currently deployed in 30 percent of surveyed enterprises, while ESMs are in 25 percent. Deployment of SIM and ESM technologies is estimated to grow 33 percent and 23 percent, respectively, over the next 12 to 18 months.
Vendors are transforming these products from aggregators of IDS event logs into real-time event correlation and monitoring tools, thereby giving enterprises deeper insight into what's crossing from the network to the application layer. The products are able to slice and dice the data for everything from regulatory compliance to detecting rogue processes and applications.
Auditing applications are essential for regulatory compliance, but adoption of this technology set is slowing. Slightly more than 50 percent of the surveyed enterprises have auditing applications in use, while 18 percent plan to deploy them before the end of this year; 7 percent plan to have auditing apps in place within 18 months.
Marrying technologies and processes is a key component of any risk compliance program. Enterprises are looking for products that give them actionable information that they can use to make adjustments in their security management and compliance efforts.
Zions uses customized information-gathering tools to assess its security posture and make adjustments. It's the process that keeps the bank in compliance with SOX and GLBA, not the technology.
"We don't want to be in a position where every regulation is a fire drill," Wood says. "We need to be in a position where it's process-based."
Hardening Still Essential
In August 2003, when the Blaster worm turned internal clients against the network, security fundamentally shifted from a hardened perimeter guarding against external threats to a more internal approach, says David Giambruno, director of strategic technology and security at Pitney Bowes. Enterprises have been forced to devote more attention and energy to monitoring and hardening their individual desktops and mobile devices.
Giambruno's means for addressing this challenge is data correlation--breaking down the security silos of data residing in firewalls, IDS/IPS, AV, servers and desktops. With security tools such as ESM and SIM, and internal policy enforcement solutions, Pitney Bowes is drawing in millions of events per day and correlating them against known pieces of its infrastructure to gain a granular view of its security posture and how the company can best mitigate risk.
"It's all about information, not the data; everything is delivered in context," says Giambruno. "We process 50 million correlations a day, and it's all automatic. Every time, I bring that data source in, I correlate it with what I know about my network. Everything I do is now red, yellow or green."
Organizations are turning to dashboards to facilitate correlation and provide quick reports of the enterprise security posture. The Information Security/TheInfoPro survey found that 27 percent of responding enterprises have security dashboards in use, and another 23 percent plan to implement dashboards over the next 18 months.
Complementing security information systems and dashboards are basic security tools that automate the process of vulnerability discovery, configuration management and patching. Most surveyed enterprises have invested heavily in these technologies.
Patch management products are being used in 76 percent of enterprises, and another 20 percent are planning to roll out patching systems over the next 18 months. Vulnerability management products have a deployment base of 67 percent, with another 21 percent planning implementations through 2006.
"If you keep you systems up to date and follow the basic tenets of systems management and control, you can maintain security," says Giambruno. "It just takes a little discipline."