Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Forrester: Roles, Methods of Security Are Changing in Business

While security increases in responsibility and budget, its organization and practices are shifting strongly, research firm says

BOSTON, Mass. -- Forrester Research Security Conference 2008 -- The goals haven’t changed. But for many security departments, the methods of getting there are gradually shifting on a tectonic level, a Forrester Research’s security expert said here today.

In his keynote address, Khalid Kark, principal analyst for security at the industry research firm, revealed data from Forrester’s annual security survey which indicate that the ends of today’s enterprise security efforts aren’t changing, but the means are. “The good news is that the priorities we set last year and before were the right ones, and security is becoming more visible in the organization,” Kark said. “The bad news is that the security organization doesn’t know how to deal with the visibility, and the problems are not well defined.”

In a study of more than 1,100 security decision-makers at North American companies, Forrester found that after a slight dip in 2007, security is once again the top priority among IT departments, gaining the top spot in 50 percent of responding organizations. In fact, respondents said that when the year is through, security will make up 10 percent of IT spending, up from 8 percent a year ago. More than 20 percent of respondents expect security spending to increase in 2009.

“About half of that is driven by compliance efforts and recent security breaches and media coverage that make the problem more visible,” Kark said. “But I think the other half is that the security managers are doing a better job of making their case within the organization, and they’re starting to see some results.”

For the most part, IT security goals have remained the same in the past year, Kark said. Protecting customer data, cited as “very important” by 54 percent of respondents in 2007, was cited by 59 percent this year. Protecting sensitive corporate data and intellectual property, cited as “very important” by 38 percent in 2007, is up to 54 percent. Developing business continuity strategies and managing regulatory compliance also showed slight increases in importance.

However, this increasing visibility is exposing some of the flaws in the current enterprise security model, Kark said. “It’s forcing security to redefine the problem,” he said. “For example, data protection is important, but does that necessarily mean more encryption? [Respondents] ranked protecting customer data as a higher priority than protecting corporate IP, but do they really have a choice there? These are questions that organizations are struggling with.”

Part of the problem is that with its new-found visibility, security has become a priority for executives all over the enterprise. “We found in this study that in addition to the person he or she directly reports to, the average CSO reports indirectly to five or six other people within the organization,” Kark says. “Isn’t that too many bosses?” he wondered. “This makes it difficult to set priorities.”

Some organizations are solving this problem by moving the security manager -- even the whole security department -- out from under the IT organization and into a broader role. About 30 percent of Forrester’s survey respondents say they have at least a dotted-line reporting responsibility to a president or CEO, and another 19 percent said they report to some type of executive board. “So much of the security problem is about data, not about IT or infrastructure,” Kark said.

These new reporting responsibilities, along with new business visibility, mean that IT security people can no longer spend all of their time on operational issues, Kark stated. “If you’re going to be working with the business, you can’t spend all of your time fighting fires,” he said. Security departments are learning to hand off some of the operational issues to other parts of the IT organization, or even to third parties.

“Forrester expects to see a 20 percent growth in the security services market over the next five years,” Kark said. “That’s managed services, consulting services, and software as a service. That’s huge.”

Ed Amoroso, chief security officer at AT&T, said in an interview here today that his company is seeing this shift as well. “For a long time, there was this misapprehension that we were trying to get enterprises to outsource security,” Amoroso said. “That’s not what we’re talking about. What we’re saying is that instead of the service provider sending you every bit of traffic, no matter what it is, why not have the service provider filter or block the stuff that’s dangerous or useless? If you could set a policy that told your mailman not to bother bringing you certain kinds of mail, wouldn’t you?”

But no matter who does the work, security departments are going to have to improve their ability to report what they’re doing and demonstrate its value to the business, Kark says. “Companies are starting to see that compliance, which has been the big driver for a while, isn’t a very efficient way of building security,” he says. “Security organizations need to find their own metrics for showing how well they’re doing and what value security is bringing.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).