Security spending driven by mergers, Web 2.0 and compliance

By Michael S. Mimoso, Editor, Information Security magazine 28 Oct 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

BOSTON -- Regulatory and internal compliance remain the primary drivers of your organization's security spending, but closing quickly on their heels is a concept certainly familiar to voters less than a week from the presidential election: change.

We've got a long way to go as an industry before CEOs understand what that means and why security staffs need to grow. James Mignone, CISO, RBS Americas

PricewaterhouseCoopers' annual Global State of Information Security Survey puts technological and market-driven change -- brought about by a glut of mergers and acquisitions, advancements and interest in Web 2.0 technologies for business and other such factors -- almost on par with compliance. The Big Four audit firm released the survey results Tuesday.

"If security is going to add value to the business, it has to get involved from the get-go in all of these changes," said Gerard Verweij, technology advisory services partner with PricewaterhouseCoopers (PwC).

Compliance remains the most important ongoing trend emerging from the survey, which was taken by nearly 7,100 people globally, including C-level professionals such as financial officers and chief executives. Of note was the lack of alignment between security and top executives around security spending and internal compliance.

For example, CEOs and chief financial officers (CFOs) believe security policies and spending are completely aligned with business objectives, much more so than chief information security officers (CISOs) and chief information officers (CIOs). CEOs, CFOs and even CIOs, meanwhile, believe business continuity and disaster recovery are the primary business issues driving security spending, while CISOs stand on regulatory compliance.

SearchSecurity radio:

Ironically, 73% of respondents believe users are compliant with internal policies, but less than half conduct compliance testing or monitor compliance with policy to back up that belief.

Overall, the survey demonstrates that security is becoming more of a strategic than operational function, but it's also becoming incumbent on CISOs to demonstrate their value, especially in a recession.

"You must have a risk strategy and conduct risk assessments to determine where to spend your money," said panelist James Mignone, CISO at RBS Americas, the former Citizens Financial Group. "And it's not just spending on technology, but on people and processes. We've got a long way to go as an industry before CEOs understand what that means and why security staffs need to grow."

Security and the economy: IT security pros face challenge during economic crisis: In this Q&A, Steven Katz, a former CISO at Citigroup Inc., JP Morgan Chase & Co., and Merrill Lynch & Co., Inc., explains the role of IT security durring mergers and acquisitions. Virtualization security gains traction while IT budgets shrink: The SearchSecurity.com editorial team discusses virtualization security, the overcompliance mentality, PCI DSS changes, and tightening IT security budgets. Podcast: Security Squad: Security pros face troubles: The SearchSecurity editorial team discusses how the poor economy affects security pros, cybersecurity for the next president, vendor security transparency and the job market. Download MP3 | Subscribe to security audio downloads

Mignone called for the development of metrics to enable management to better understand risks and how security mitigates them.

"We have a bad reputation of being just cool tool guys, but when CEOs and management ask questions, having cool tools is not a good answer," Mignone said. "We need to translate how we're mitigating risk from risk assessments and translate that to metrics so that management can understand what we're doing. You need a team that's IT risk-focused rather than a team that is make up of IT security geeks. We need them, but it's got to be a coordinated team looking at the whole picture, and not just at the technology in the background."

Another noteworthy trend from the survey is the double-digit increases in implementations for technologies such as encryption and Web security products. Driven by regulation and data protection initiatives, encryption for laptops, databases, tapes and removable media is being more widely deployed. Implementation numbers for content filters, site certification spending and even Web services security is also increasing.

While technology spending and projects may be up, investments in people and processes are up slightly or down. The number of organizations performing background checks is down 2% from a year ago, while monitoring the use of assets, tiered authentication and centralized information management went up between 2% and 7%.

Tags: Security Industry Market Trends, Predictions and Forecasts,  Enterprise Risk Management: Metrics and Assessments,  Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers McAfee survey finds faults in midmarket enterprise security Email archiving vendor sues Gartner over Magic Quadrant Information Security magazine October issue PDF Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry Information Security magazine Security 7 Award winners Security Squad: Privacy gone awry Security Industry Market Trends, Predictions and Forecasts Research Enterprise Risk Management: Metrics and Assessments How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Enterprise Risk Management: Metrics and Assessments Research Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions M86 buys Web security gateway vendor Finjan McAfee survey finds faults in midmarket enterprise security Cisco acquires SaaS security vendor ScanSafe Email archiving vendor sues Gartner over Magic Quadrant Analyst calls Barracuda-Purewire deal proof of cloud dominance Barracuda acquires Purewire expanding Web security reach McAfee, Verizon Business partner to develop cloud security services Security vendors can learn from ConSentry Networks demise Security on a budget: How to make the most of authentication tools 2009 Information Security magazine Readers' Choice Awards

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary