My official title may be "analyst," but market research is the part of my job that appeals to the geek in me. Good thing I work at ESG, where we do market research around information assurance all the time.
Given an IT security landscape highlighted by regulatory compliance, publicly-disclosed data breaches, and increasingly sophisticated threats, we often ask survey respondents whether their organization suffered a data breach in the last 12 months. ESG has probably asked this very question in several research projects over the past few years. In the past, about 30 percent of large organizations (i.e. 1,000 employees or more) claimed that their organization had suffered a data breach within the last year.
This pattern was fairly consistent from 2005 through 2007, so I expected to see similar results when we conducted another research survey focused on application and database security at the end of 2008. I was shocked to see that things have actually grown much worse. In a November 2008 survey of 179 North American-based security professionals, 56 percent claimed that their organization had suffered a data breach within the past 12 months. In further analysis, 61 percent of organizations with 1,000 to 5,000 employees suffered a data breach in that time frame. It's easy to assume that these smaller firms are more at risk since they are likely to have fewer security technologies in place and smaller security staffs. Perhaps this is true, but even bigger companies are suffering data breaches--49 percent of organizations with 5,000 employees or more endured at least one data breach of their own.
Armed with data from several years of surveys, I think it is safe to assume that things are getting worse, not better. Sensitive data continues to flow throughout the enterprise, ending up in e-mails and IMs, laptops, and thumb drives, and into the hands of malicious or careless employees--an uphill battle indeed.
We all realize that the economy stinks and CIOs absolutely must cut IT spending. That said, the ESG data suggests that they take a prudent approach to security spending cuts. Remember that one publicly-disclosed breach can cost a lot more than a security staffer, technology safeguard, or additional training. Just ask TJX, Heartland Payment Systems, Monster, or the 56 percent of large organizations represented in the ESG Research data.
Recent Enterprise Strategy Group data indicates that security spending should maintain its current pace in 2009. There will be spending increases in some vertical sectors, like the U.S. federal government, but overall, things should remain relatively flat.
As they say on Wall Street these days, "flat is the new up." Large organizations will continue to bolster network defenses and focus on protecting confidential and private data. Given the frightening security threat landscape, this is good news.
Unfortunately, there is a caveat here. Under constant pressure to "do more with less," some chief security officers I speak with are abandoning strategic security initiatives and replacing these projects with tactical Band-Aid solutions--the old check box mentality at work. Yes, these folks recognize that they will have to "rip and replace" point tools when the economy improves, but they are willing to face that future expense to "do something" in the short term.
Ay, ay, ay! One of the reasons why the state of information security is so bad is that it is built on a foundation of islands of point tools for protection against tactical threats. Managing these systems is an operational nightmare. What's more, most of these tools aren't integrated together, so getting a true picture of the security posture of the whole business is next to impossible, which may actually lead to additional security risks. Ironic, isn't it?
My suggestion is this: Buy tactically but think strategically. Users should look to work with vendors who can address short-term tactical needs and provide a road map to integrate these products into a more strategic enterprise security architecture over time. At the other end of the spectrum, vendors must clearly articulate this value to users and help them phase in products, determine success metrics, and provide a final strategic destination.
Perhaps this is a stretch, but I hope that users and vendors can strive for this type of harmony. Otherwise, I'm afraid both groups will suffer more than necessary.
- prev
- 1
- next
