Information Security's "2004 Priorities Survey" shows that leading organizations are tackling the need to head off the next big worm at multiple strategic, technical and operational levels while balancing it with the need to address hundreds of less-emergent but more quantifiable threats. What role is played by new regulations and constant technological change? And which security technologies can help you achieve these goals without breaking the bank?
Conducted in February and March by Information Security research partner TheInfoPro (TIP), the survey is based on 175 one-hour interviews with U.S.-based Fortune 1000 companies, providing a rare behind-the-scenes look at the security practices and spending plans of multibillion-dollar firms such as McKesson, Motorola, Reed Elsevier/LexisNexis, Panasonic and ABN AMRO.
The good news, according to the survey, is that 2004 security budgets are stable or growing at most Fortune 1000s; only 20% of interviewed companies say they're planning to spend less on their current vendors over the next 12 months. In particular, consumer goods/retail firms and health care/pharmaceutical companies are investing heavily in security in 2004. The bad news is that security budgets -- and the managers in charge of them -- are spread thinner than ever.
Faced with a constant barrage of cyberattacks, increasingly complex and perimeterless networks and growing regulatory pressure, Fortune 1000s are evolving a portfolio approach to IT risk management. Where smaller companies still pour the bulk of their budgets into perimeter technologies -- 74 cents per security dollar -- Fortune 1000 spending is evenly distributed among perimeter, infrastructure and security management.
At the perimeter, the legacy base of network- and transport-layer security gear is being upgraded or supplemented with enhanced traffic inspection technologies, such as IPSes and Web-application firewalls. One-quarter of surveyed companies are evaluating SSL VPNs for application-specific access control. New investments in antispam software will taper off dramatically as it becomes a standard part of e-mail filtering, much like gateway AV.
At the infrastructure level, enterprises are focusing on new identity and access management tools aimed at reducing the cost and complexity of account administration in heterogeneous environments. User provisioning is in more plans as companies shift from homegrown software to packaged tools. In 2005, many security shops will evaluate (or, in some cases, reevaluate) single sign-on (SSO). Investments in host-based IDS and IPS will also grow, though more slowly than perimeter-based IDS/IPS. Spending on new wireless LAN security tools will also grow, though resistance to wireless still runs high.
The focus of security management is on vulnerability management products and practices, including assessment scanning and configuration management. Patch management is a top priority, with 16% of surveyed organizations planning to spend more on this activity in the next six months. While investments in security dashboards are growing, many organizations still rely on homegrown tools and manual, qualitative processes for risk management.
ANDREW BRINEY, CISSP, is editorial director of Information Security magazine, part of the TechTarget Security Media Group.
Read the full Information Security magazine feature, Doom or Boom?