Network access control (NAC), disk encryption and application security technologies and services topped the list of interests of IT professionals, according to a survey conducted by Cambridge, Mass.-based Forrester Research Inc.
Forrester surveyed more than 1,000 IT decision-makers in 2007 to gauge the state of the IT security industry and project the security issues gaining the most attention. Forrester said 21% of respondents were the company's senior-most IT decision maker, 29% were executives in IT, and 48% were IT managers.
The survey revealed that many managers are struggling with a lack of money to begin projects, were missing in-house skills to oversee them and were overburdened to address too many security issues. But it also showed that many companies are interested in new technologies to automate security, focus on threats at the end point and begin to address Web application and internal threats.
While NAC got off to a sluggish start, with slower than expected adoption rates in 2007, it remains on the minds of Forrester's survey respondents. About 43% expressed interest in NAC or planned to adopt the technology within the next 12 months.
"We've got the mobility of users and the mobility of data and companies want to address the risks associated with that," said Jonathan Penn, an analyst with Forrester Research. "Businesses are also extending their processes to others through outsourcing and off-shoring so they need to have more controls in those environments and that brings up all sorts of management challenges."
IT pros say they are still wary about the maturity of NAC technologies, and vendor viability. The market is also still working itself out. Cisco acquired Perfigo in 2004, Symantec bought Sygate and, more recently, Sophos and Novell acquired Endforce and Senforce, respectively.
Richard Jacobs, the chief technology officer of antimalware vendor Sophos, said the NAC market would continue to consolidate and change in 2008. Jacobs said Microsoft would have an affect on the market once it releases more information about its Network Access Protection (NAP) strategy.
"We see large numbers of people who have evaluated NAC and very small numbers that have actually deployed it," Jacobs said in a recent interview. "The problem is that there's confusion about what it is, confusion about the problem it's solving and therefore the technologies to approach it."
Currently people are approaching NAC via network devices or they are taking an endpoint technology approach, but it will take a combination of the two ways that will ultimately make NAC work, Jacobs said.
Forrester's Penn said client security and client management as a managed service will also be a popular choice because end users are no longer in the confines of the company's four walls and corporate perimeter.
The massive TJX data breach dominated the news of 2007, and shed light on disk encryption technologies. Forrester said 46% of those surveyed expressed interest or planned to adopt the technology within the next 12 months.
TJX also highlighted the importance of protecting consumer data as well as a company's proprietary information from data thieves. Much of that data can be found within separate systems and the growth of Web applications has also increased the risk of a breach. Forrester said 44% of those surveyed were interested in or planned to adopt application security technologies or services.
To guard against cross-site scripting (XSS) attacks and other threats, many firms are turning to code scanning tools and penetration testing software to conduct application level scanning, Penn said. If problems can't be resolved through patching and in-house development firms are looking at Web application firewalls to block a set of specific attacks.
"There's some tremendous cost savings associated with making sure from a development standpoint that your code has been assessed," Penn said.
Many respondents said database security technologies as well as content filtering had already been adopted, according to the survey.
In addition, Forrester said compliance may not be driving spending on security technologies. Over the last year, vendors have been touting products and services to meet the Payment Card Industry Data Security Standards (PCI DSS). However, 57% those surveyed said they were either fully compliant with PCI DSS or would be compliant within the next 12 months.
Most of those surveyed also said they were fully compliant with the Health Insurance Portability and Accountability Act (HIPPA) and Sarbanes-Oxley with 75% of respondents saying they were compliant with HIPPA or would be in the next 12 months and 67% indicating they were either fully compliant with Sarbanes-Oxley or would be in the next 12 months. Still, Forrester said many firms would be conducting ongoing compliance initiatives to ensure they stay compliant.
"Compliance may be driving budgets, but it's not the highest priority," Penn said. "Effective compliance should be an outgrowth of having effective controls in place to serve both security and compliance, so I think a lot of people have gotten a bit of overload of compliance."