What can we expect from Forrester Security Forum, particularly your keynote?
Based on our previous experience, the majority of our audience is made up of executives and senior security professionals, so we'll be talking a lot about how specific security technologies and strategic approaches are evolving.
For my keynote, there are primarily three sections. First, the evolution of information security: where we've come from, where we are, where we're headed. Second, I'll discuss data points we've received from our most recent security survey, which includes information on various organizations' budgets, projections, top priorities, etc. It's the first time we'll be showing this data. The third section of the speech looks at the next five years, exploring the challenges and specific processes that you'll need to implement to succeed in the future. You mention the security budget data. Will the current economy affect security spending?
Yes and no. I think there are some sectors that are more adversely affected than others. We tend to find that in certain sectors, although there hasn't been an increase, there also hasn't been a decrease -- companies are keeping their security budgets. Organizations are scrutinizing a lot more; vendor cycles are longer and longer. Some industries, such as transportation (airline, auto manufactures and so on), have made cuts, but those are exceptions and not the rule. Generally we find that security is not very affected by this economic downturn.
"There's obviously going to be complexity and change and additional challenges for security, but we're in a pretty good place."
Khalid Kark, Principal Analyst, Forrester Research Inc.
One reason is the media. Because of the recently published security breaches they've been able to get the point across that if we don't spend on security we'll be on the front page of the newspaper. CEOs, etc. understand a little bit more about what security means to them. Customer demand, market driven conditions, etc., are areas where security is becoming a certain part of your business. Customers understand that if they share data it'll be protected, so companies have a proactive attitude: Let's make security a competitive advantage. Customers are forcing companies to look at and about external press and media coverage of security breaches. So, three factors are forcing senior management to figure out where they are in terms of security and spend the right amount of money to mitigate those risks. What are the most serious security threats that we are facing today?
The most complex things that we're dealing with today are the complexity of our environments. It's becoming a lot more complex to manage the environment. We don't have just one perimeter that we need to protect. We need to protect the data in different organizations. There's complexity from two angles: There are more tools, make sure they work together. Also, in terms of becoming more global, it becomes harder to control where the data we have goes. So, third party security becomes hugely important and information centric view struggles. A lot of companies are challenged in the area of protecting intellectual data and employee data.
Are we getting better at dealing with today's threats?
Yes we are. I think we're getting better at getting the basics right. I think the bad guys are always going to be a step ahead and they're always going to find a way to break what we have in place. But I find that we're getting better at getting the basics right. Is the current state of security a bleak picture?
It's not as bad as we're thinking or we're made to believe. I think we are in a pretty good spot right now. There's obviously going to be complexity and change and additional challenges for security, but we're in a pretty good place. CISOs have been able to get traction on areas they've struggled with in the past. Recent data suggests we're improving and getting company buy-in. Will companies delay deployments in any particular security area?
Sure. I think what we did in the past is spend a lot on tools and technologies, and we continue to do that. Depending on where you are it'll vary. Some of the companies (industries) don't even have basic security tools and technologies, so they may still buy those and cut down on the more mature tools and services. On the other hand, there are more mature companies that may hold off on tools/technologies that will enable them to gather data. Tools, technologies and services that focus on specific pain points will sell; broader visions and grandiose approaches are not going to sell. So companies are looking for vendors that can solve an immediate pain point for them, but later expand into broader areas. There's more potential for growth in products that offer a suite instead of a single point solution.