For Scott Floyd, director of information security at a Texas-based community bank, 2010 will be the year to prioritize disaster recovery and business continuity. Driven by a corporate initiative to expand protection of its mission-critical systems, the bank last year implemented a lot of virtualization technology in order to failover data centers within minutes instead of days.
"2010 will be tying all those technology choices together to implement a much better recovery plan," Floyd says.
His priority falls right in line with a top concern cited by readers who participated in Information Security's Priorities 2010 survey. Seventy-seven percent of the more than 700 respondents rank disaster recovery as a priority this year and 71 percent say business continuity is a top concern.
Readers also cite compliance, data loss prevention, and access control as top priorities for 2010. And they're worried about managing emerging threats via the Web as well as the risks posed by social media. Still, budgets remain flat for the most part, and companies are focused on leveraging existing technologies to deal with security requirements.
Altogether, the story here isn't exactly new, says Matthew Todd, CSO and vice president of risk and technical operations at Financial Engines Inc., a Palo Alto, Calif.-based independent investment advisor.
"Companies need to be competitive and efficient, and at the same time protect sensitive internal and client information. What is new is that companies are reacting to external pressures from the public--their clients--and regulators to demonstrate good risk management practices: information security, business continuity, etc.," he says. "Failing to meet public and regulatory demands could be almost as bad as having a breach--regulation, after all, is the government's way of establishing minimum standards for acceptable practice."
Let's take a deeper look at some of the priorities and trends revealed in this year's survey.
COMPLIANCE DRIVES SECURITY SPENDING
All the belt-tightening during last year's recession isn't exactly going away, but some enterprises appear they may have a little more breathing room as the economy shows signs of a recovery. Thirty-seven percent of survey participants expect their security budgets to stay the same in 2010 while 23 percent expect increases from five percent to 24 percent.
Once the economy improves, 29 percent say they plan to buy new technology and the same number hope to restart security projects that were put on hold.
After the extensive cutbacks at the end of 2008, enterprises seem to be feeling a little more comfortable about overall budgets, says Diana Kelley, founder and partner at Amherst, N.H.-based consulting firm SecurityCurve. However, security spending will likely be slower to pick up than other spending.
"If people are feeling a little more comfortable, they'll want to see what happens with profit and the bottom line before they start allocating big huge chunks back into security," she says, noting that security is traditionally seen as a cost center rather than a profit center.
Richard Baich, a principal in Deloitte & Touche LLP's security and privacy practice, says companies are focused on making their existing technology more effective and efficient rather than spending more money on product solutions. His observation reflects the survey's findings, in which participants indicated that they plan to leverage features in existing hardware and software or only make small upgrades to existing equipment in order to address data protection and identity management issues.
However, Kelley says compliance has raised the corporate profile of security and consequently, continues to help drive security spending: "Suddenly compliance was something that mattered to the business--the CEO needed to be compliant with this or that regulation."
Indeed, compliance with government regulations and industry standards is the major driver for security spending for 61 percent of survey respondents.
"Having compliance requirements certainly helps budget dollars," Floyd says.
Compliance is a good rationale for security funding, especially with new regulations looming such as the Massachusetts data protection law and the federal Red Flags Rule, says Ron Woerner, a security analyst at a large architecture and engineering firm in the Midwest.
Companies with customers in Massachusetts face a March 1 deadline to comply with 201 CMR 17.00, which requires businesses to have a written information security program. While most financial institutions already must comply with the Red Flags Rule, the Federal Trade Commission has continually extended its enforcement deadline for entities it governs, including mortgage brokers, auto dealers and retailers that offer financing; those organizations have until June 1 to develop an identity theft prevention program.
Those regulations add to the number of security compliance requirements enterprises face, Kelley saysthe Payment Card Industry Data Security Standard (PCI DSS), HIPAA, and Basel II are some of the compliance demands companies must address depending on their business.
"In general, companies are looking at that alphabet soup not going away and continuing to be a priority," Kelley says.
Driven by cost savings, companies are focused on server virtualization in 2010
In a tough economy, it's really no surprise that virtualization and the cost savings it promises is a hit in the enterprise. Sixty-six percent of survey respondents say server virtualization is a priority for their company and 77 say cost savings is the main driver for deploying virtualization at their organization.
"Virtualization will continue to be a priority," says Ron Woerner, a security analyst at a large architecture and engineering firm in the Midwest. "It makes sense: You can increase your efficiencies and reduce costs."
For survey participants, security isn't a showstopper with virtualization technology. In fact, 63 percent are confident their organization understands the vulnerabilities and risks associated with virtual systems.
Like cloud computing, virtualization is an environment that lacks documented controls and published best practices developed around the ISO standard, which makes it a little more risky, says Richard Baich, a principal in Deloitte & Touche LLP's security and privacy practice
However, securing virtual systems is much like any other system, Woerner says. "It comes down to the same story we've been preaching for years about hardening what you have, taking steps to eliminate services you don't need, and making sure the basic protections are there."
UNDERSTAND AND THEN PRIORITIZE DATA PROTECTION
For compliance-minded enterprises, data protection is a top issue. After all, standards such as PCI are all about protecting data. Security breach laws also often provide exemptions for encrypted data. Despite flat security budgets, 23 percent of survey respondents say they expect to spend more on data protection--including encryption, data loss prevention and database access controls. ">Data loss prevention also was a top technology readers cite as a target for investment when the economy improves. Sixty-four percent of readers cited compliance as the key driver for their data protection initiatives.
A lot of companies are looking at solutions for encrypting the database or other data at rest, says Chenxi Wang, principal analyst at Forrester Research. Companies are more interested in those kinds of technologies more than DLP solutions, she says.
"They are fairly expensive efforts. Right now we're only seeing that large enterprises with a lot of resources are able to undertake such deployments," Wang says. However, this year will likely bring less expensive and easier-to-install DLP solutions aimed at the midmarket, she adds.
Baich says data loss prevention means different things to different people, but in general, there is major concern in the industry about data extrusion--sensitive data inadvertently leaving the network or data missing on a stolen or lost laptop. Companies are focused on taking an enterprise-wide approach to data protection, which encompasses remote users, mobile devices and third parties in addition to the corporate office.
"We're seeing organizations begin to focus on what types of controls and frameworks they need in place for breadth of data protection," Baich says.
Oftentimes, companies fall into the trap of buying a DLP or other security product with the idea that technology will solve their problems, Woerner says. "You need to remember people, process and technology--all three need to be in your projects in order to have success in security," he says. "You can't buy security in a box."
A beneficial aspect of DLP technology is that it forces companies to understand where their "crown jewel" data is, he says. From there, it's a matter of figuring out the best way to protect it--whether to prevent it from leaking from the corporate network or within the database. "I'm hearing a lot more about database security," Woerner says. "We've gone from operating system security to application security and now we're going deeper to where the data is stored."
For 85 percent of readers who participated in the survey, the top data protection priority this year is disaster recovery and backup. Thirty-two percent expect a moderate to a major spending increase for it.
At Floyd's bank, the focus will be on expanding the real time replication it already has in place for its core banking systems to Windows-based systems that are critical to the business. The effort involves integrating technology such as VMware Site Recovery Manager, he says.
David Schneier, a compliance consultant who works with financial institutions says disaster recovery and business continuity planning are hot topics among his banking clients. And instead of thinking of DR/BCP as simply a compliance exercise, corporate management is taking a keen interest in seeing that the planning produces valuable results. The shift demonstrates a "pragmatic approach to managing risk," he says.
Companies also are taking pains to test their DR/BCP plans to ensure their viability, he says: "A few years back, almost no one truly tested their plans beyond having IT boot up the core application and running a few basic transactions threads. Now we're seeing an all--hands-on-deck approach where all key stakeholders are engaged."
CONTROL ACCESS INSIDE AND OUTSIDE THE NETWORK PERIMETER
While compliance requirements and breach fears are driving companies to focus on data protection, they're also leading enterprises to make access control a priority. Access control was the top technology survey participants (24 percent) ranked as an investment priority once the economy recovers. Sixty-one percent say improving user access rights and authorizations would be a top challenge for their organizations this year.
"There's great value in managing this properly as the greatest risk to any company remains the insider threat, which is best managed by properly restricting/removing privileges," Schneier says.
Sixty percent of readers ranked preventing employees and other insiders from unauthorized access of sensitive data as the biggest driver for their identity and access management initiatives; 58 percent cited compliance.
Access control always will be an issue because people's jobs can change daily and weekly, Woerner says: "Where do you get that balance where people only have the access they need to do their job?"
Dave Shackleford, director of risk and compliance and acting director of security assessments at Sword and Shield Enterprise Security Inc., and a certified SANS instructor, says entitlement management is getting a lot more attention in the enterprise.
"More and more companies are deploying complex extranet infrastructures like SharePoint portals that have a lot of different users coming from different places with a lot of roles they need to be assigned," he says. "It's just impossible to manage that with built-in authorization capabilities of say SharePoint or some of those technologies. So there's an uptick in the entitlement management pieces to help define roles and keep that stuff straight so you don't have security disasters."
At the same time, companies--particularly those in financial services--are focused on strengthening authentication, Shackleford says. Fifty-four percent of survey participants say getting better at strong authentication will be a priority this year.
To combat online fraud, banks are tying token or other authentication solutions to risk-based authentication systems that look at the behavior of the user or device characteristics to get a broader profile before granting access, he says.
Security pros still wary of cloud computing services
Security continues to be a sticking point that keeps organizations from jumping into cloud computing.
Seventy-nine percent of survey participants say cloud computing isn't a priority for their companies this year and 52 percent cited security concerns as the biggest barrier to using a cloud provider.
While security pros may have concerns about cloud computing, they're being forced to deal with it by business executives eager to adopt it, says Diana Kelley, founder and partner at Amherst, N.H.-based consulting firm SecurityCurve.
"We in the security trenches are still very concerned about what needs to be protected, and how it needs to be protected as we move more into the cloud, but I don't think we're going to necessarily be stopping adoption," she says.
Security experts have advised organizations to evaluate the security controls of cloud providers like software-as-a-service vendors before inking a deal to ensure their data protection needs are met.
The nonprofit Cloud Security Alliance recently released updated guidance for secure adoption of cloud computing services.
WEB THREATS AND CLIENT APP MALWARE ON THE RISE
With a threat landscape that's constantly evolving, companies are making threat management a priority in 2010. Forty-six percent of survey respondents ranked preventing viruses and worms as a top challenge and 20 percent expect to spend more on threat management this year.
"It's a perpetual problem that's become white noise, but it's a dull roar because it continues to be a dramatic issue," Woerner says.
More than the traditional viruses and worms, organizations are struggling with Web-based malware, says Forrester's Wang. What often happens is employees' machines are infected and turned into bots when they surf the Web and inadvertently visit malware distribution sites.
"That continues to be a focus--or burden--of IT," she says.
To that end, 38 percent of survey participants say they plan to spend more on Web security this year, 41 percent plan to spend more on email security and 40 percent on antivirus software.
In addition to increased threats from client applications such as Adobe Reader or Flash Player, organizations also have to worry about malware infections coming from employees visiting social media sites, Woerner says. "You're going to have a portion of the company that needs access to them in order to do business," he adds.
A majority of survey respondents (65 percent) say security concerns are a barrier to using social media in their organizations, but experts say companies can't ignore the growing importance of sites such as Twitter and Facebook. Wang says many companies are actively developing policies for social media use to address their concerns over potential data loss, malware, and reputational issues. "If they don't do it this year, they're going to have to do it next year," she says.
Overall, vulnerability management is a major concern for survey participants. Forty-two percent say performing a vulnerability assessment is a top challenge for their organization. Thirty-five percent say they plan to spend more on patch management, and 34 percent say they'll spend more on network vulnerability scanners.
Paul Rohmeyer, a faculty member in the graduate school at Stevens Institute of Technology and a consultant, says there's a growing awareness in the industry that vulnerability analysis isn't as simple as running a tool and looking at a report.
"The tools aren't going to cover everything and your testers aren't going to be able to think of every possible scenario," he says. "Welcome to the real world where it's [vulnerability assessment] an ongoing need that requires recurring testing, multiple toolsets, and smart people doing analysis."
Without a doubt, 2010 will be another busy year for companies on the security front, as they struggle to shore up vulnerabilities, meet compliance requirements, and prepare for disasters or business disruptions. While the economy takes it time recovering from the recession, security pros might at least benefit from a growing awareness of the need for security at the C-level. Fifty-six percent of survey participants say their top executive cares more about security this year than last year, and 65 percent say their top IT executive cares more about security now.
"A lot of CIOs are now beginning to get the importance of security -- that it's a necessary evil you can't live without," Woerner says.
Marcia Savage is Editor of Information Security. Send comments on this article to firstname.lastname@example.org.