Upper management once relied on IT staff to make their PCs run faster, store more data and keep from crashing. Thanks to the growing ferocity of online attacks and new government regulations, network managers now find themselves under pressure to keep the entire business afloat.
The technology they're turning to reflects that pressure, Louisville, Colo.-based software firm StillSecure found when it recently surveyed 1,400 IT professionals.
A breakdown of the numbers shows that 55% of respondents base their purchasing decisions on data protection, 20% want technology to help them comply with laws like HIPAA and Sarbanes-Oxley; and 14% want tools to prevent network downtime.
The survey indicates IT professionals have taken care of the basics, with 96% installing antivirus, 94% using firewalls and 78% adopting VPN security tools. Now they're ready to add more layers, with 83% vowing to install intrusion detection/prevention technology by year's end, 74% planning to adopt a vulnerability management device and 67% saying they'll add endpoint policy compliance technology to their network.
StillSecure CTO Mitchell Ashley spoke to SearchSecurity.com about the IT pressures behind the numbers and how network managers can maintain their sanity.
What keeps IT administrators from sleeping at night?
Ashley: IT security is being held accountable for keeping businesses running. There's now a direct tie between the revenue and productivity of the organization and security. For IT staff, it's no longer just about managing the network. The visibility of security has increased greatly and staffers must demonstrate what they've done and prove it's the best practice. The potential impact of a security issue is very broad on the organization. If you're not prepared for a worm attack, it can bring down the entire network and keep the business from functioning.
When people say they want to protect data, are they more concerned about worms and viruses or insider threats?
Ashley: Both. We can no longer just worry about the latest virus. There's a correlation between protecting data and compliance. It's all about protecting the integrity of data, whether it's HIPAA or another law. Compliance is a main driver.
When it comes to compliance, which tools do people clamor for?
Ashley: They need to leave an audit trail of all their activities to show they've taken adequate measures to protect information. What customers require now is a vulnerability management system that not only assesses but notifies you of problems. Rather than a tool, what they require is something that helps them develop a secure process and have an audit trail showing who did what, when and what the outcome was. In the past, it was done on the honor system. Systems people would report on vulnerabilities and then they would present a plan of action. Now they need to show proof that the vulnerability is there and that their plans will work.
Do you see a shift in thinking when it comes to the best way to secure networks?
Ashley: The biggest shift is away from the view that security is a defensive activity. People are now going for a multi-pronged strategy of preventative security; compliance and real-time defense. The old way of thinking was that a network was secure on the inside but not outside on the Internet. Now they see just as many threats on the inside from untrusted devices. You have contractors bringing in their laptops, remote workers using the VPN. Organizations are implementing policies for end-point devices -- security requirements devices must meet before they can get on the network. It's telling that 83% of respondents plan to implement an intrusion detection and prevention system by year's end, that 74% plan to implement a vulnerability management solution and 67% plan to implement an endpoint policy compliance solution.
Any surprises in the responses?
Ashley: Reducing liability came in at 3% as a motivator for security purchases. That percentage used to be higher. The shift illustrates that security spending is now a business process -- a must-have for continuity, not as an insurance policy.
Were all respondents StillSecure customers?
Ashley: No. We've built a database that we market to and do surveys to. We purchase lists of IT professionals from a variety of sources, like magazine subscriptions. The people we contact represent a broad spectrum across the industry.
For sanity's sake, what's your advice for IT managers?
Ashley: Avoid the whack-a-mole strategy. Look for integrated, layered security solutions that fit into a comprehensive security architecture. You need protection in a cost-effective manner.