Security spending driven by mergers, Web 2.0 and compliance

By Michael S. Mimoso, Editor, Information Security magazine 28 Oct 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

BOSTON -- Regulatory and internal compliance remain the primary drivers of your organization's security spending, but closing quickly on their heels is a concept certainly familiar to voters less than a week from the presidential election: change.

We've got a long way to go as an industry before CEOs understand what that means and why security staffs need to grow. James Mignone, CISO, RBS Americas

PricewaterhouseCoopers' annual Global State of Information Security Survey puts technological and market-driven change -- brought about by a glut of mergers and acquisitions, advancements and interest in Web 2.0 technologies for business and other such factors -- almost on par with compliance. The Big Four audit firm released the survey results Tuesday.

"If security is going to add value to the business, it has to get involved from the get-go in all of these changes," said Gerard Verweij, technology advisory services partner with PricewaterhouseCoopers (PwC).

Compliance remains the most important ongoing trend emerging from the survey, which was taken by nearly 7,100 people globally, including C-level professionals such as financial officers and chief executives. Of note was the lack of alignment between security and top executives around security spending and internal compliance.

For example, CEOs and chief financial officers (CFOs) believe security policies and spending are completely aligned with business objectives, much more so than chief information security officers (CISOs) and chief information officers (CIOs). CEOs, CFOs and even CIOs, meanwhile, believe business continuity and disaster recovery are the primary business issues driving security spending, while CISOs stand on regulatory compliance.

SearchSecurity radio:

Ironically, 73% of respondents believe users are compliant with internal policies, but less than half conduct compliance testing or monitor compliance with policy to back up that belief.

Overall, the survey demonstrates that security is becoming more of a strategic than operational function, but it's also becoming incumbent on CISOs to demonstrate their value, especially in a recession.

"You must have a risk strategy and conduct risk assessments to determine where to spend your money," said panelist James Mignone, CISO at RBS Americas, the former Citizens Financial Group. "And it's not just spending on technology, but on people and processes. We've got a long way to go as an industry before CEOs understand what that means and why security staffs need to grow."

Security and the economy: IT security pros face challenge during economic crisis: In this Q&A, Steven Katz, a former CISO at Citigroup Inc., JP Morgan Chase & Co., and Merrill Lynch & Co., Inc., explains the role of IT security durring mergers and acquisitions. Virtualization security gains traction while IT budgets shrink: The SearchSecurity.com editorial team discusses virtualization security, the overcompliance mentality, PCI DSS changes, and tightening IT security budgets. Podcast: Security Squad: Security pros face troubles: The SearchSecurity editorial team discusses how the poor economy affects security pros, cybersecurity for the next president, vendor security transparency and the job market. Download MP3 | Subscribe to security audio downloads

Mignone called for the development of metrics to enable management to better understand risks and how security mitigates them.

"We have a bad reputation of being just cool tool guys, but when CEOs and management ask questions, having cool tools is not a good answer," Mignone said. "We need to translate how we're mitigating risk from risk assessments and translate that to metrics so that management can understand what we're doing. You need a team that's IT risk-focused rather than a team that is make up of IT security geeks. We need them, but it's got to be a coordinated team looking at the whole picture, and not just at the technology in the background."

Another noteworthy trend from the survey is the double-digit increases in implementations for technologies such as encryption and Web security products. Driven by regulation and data protection initiatives, encryption for laptops, databases, tapes and removable media is being more widely deployed. Implementation numbers for content filters, site certification spending and even Web services security is also increasing.

While technology spending and projects may be up, investments in people and processes are up slightly or down. The number of organizations performing background checks is down 2% from a year ago, while monitoring the use of assets, tiered authentication and centralized information management went up between 2% and 7%.

Tags: Security Industry Market Trends, Predictions and Forecasts,  Enterprise Risk Management: Metrics and Assessments,  Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts Cybersecurity czar candidate questions clout of new position Gartner sees better days ahead for security budgets Sophos CEO on Symantec, McAfee after Utimaco acquisition WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Security budgets take hit in media, tech industry, survey finds Cybersecurity Act of 2009: Power grab, or necessary step? Opinion: Gartner gets NAC wrong, again Cloud computing security group releases report outlining trouble areas White House cybersecurity advisor calls for public-private cooperation Security Industry Market Trends, Predictions and Forecasts Research Enterprise Risk Management: Metrics and Assessments Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Mature SIMs do more than log aggregation and correlation Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession Security budgets take hit in media, tech industry, survey finds Service-focused security offers best value to organization Ease the compliance burden with automation Enterprise Risk Management: Metrics and Assessments Research Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions Sophos CEO on Symantec, McAfee after Utimaco acquisition EMC adds configuration management with Configuresoft acquisition Know when you need IDS, IPS or both Symantec acquires Mi5 Networks, bolsters Web security RSA Conference 2009 shines spotlight on security vendor innovation Oracle to buy Sun Microsystems for $7.4 billion Entrust to be acquired by investment firm Enrique Salem takes charge at Symantec Countdown: Top 5 most important questions to ask endpoint security vendors Flaw disclosure debate polarizes SOURCE Boston panel

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary