Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Forrester: Roles, Methods of Security Are Changing in Business

While security increases in responsibility and budget, its organization and practices are shifting strongly, research firm says

BOSTON, Mass. -- Forrester Research Security Conference 2008 -- The goals haven’t changed. But for many security departments, the methods of getting there are gradually shifting on a tectonic level, a Forrester Research’s security expert said here today.

In his keynote address, Khalid Kark, principal analyst for security at the industry research firm, revealed data from Forrester’s annual security survey which indicate that the ends of today’s enterprise security efforts aren’t changing, but the means are. “The good news is that the priorities we set last year and before were the right ones, and security is becoming more visible in the organization,” Kark said. “The bad news is that the security organization doesn’t know how to deal with the visibility, and the problems are not well defined.”

In a study of more than 1,100 security decision-makers at North American companies, Forrester found that after a slight dip in 2007, security is once again the top priority among IT departments, gaining the top spot in 50 percent of responding organizations. In fact, respondents said that when the year is through, security will make up 10 percent of IT spending, up from 8 percent a year ago. More than 20 percent of respondents expect security spending to increase in 2009.

“About half of that is driven by compliance efforts and recent security breaches and media coverage that make the problem more visible,” Kark said. “But I think the other half is that the security managers are doing a better job of making their case within the organization, and they’re starting to see some results.”

For the most part, IT security goals have remained the same in the past year, Kark said. Protecting customer data, cited as “very important” by 54 percent of respondents in 2007, was cited by 59 percent this year. Protecting sensitive corporate data and intellectual property, cited as “very important” by 38 percent in 2007, is up to 54 percent. Developing business continuity strategies and managing regulatory compliance also showed slight increases in importance.

However, this increasing visibility is exposing some of the flaws in the current enterprise security model, Kark said. “It’s forcing security to redefine the problem,” he said. “For example, data protection is important, but does that necessarily mean more encryption? [Respondents] ranked protecting customer data as a higher priority than protecting corporate IP, but do they really have a choice there? These are questions that organizations are struggling with.”

Part of the problem is that with its new-found visibility, security has become a priority for executives all over the enterprise. “We found in this study that in addition to the person he or she directly reports to, the average CSO reports indirectly to five or six other people within the organization,” Kark says. “Isn’t that too many bosses?” he wondered. “This makes it difficult to set priorities.”

Some organizations are solving this problem by moving the security manager -- even the whole security department -- out from under the IT organization and into a broader role. About 30 percent of Forrester’s survey respondents say they have at least a dotted-line reporting responsibility to a president or CEO, and another 19 percent said they report to some type of executive board. “So much of the security problem is about data, not about IT or infrastructure,” Kark said.

These new reporting responsibilities, along with new business visibility, mean that IT security people can no longer spend all of their time on operational issues, Kark stated. “If you’re going to be working with the business, you can’t spend all of your time fighting fires,” he said. Security departments are learning to hand off some of the operational issues to other parts of the IT organization, or even to third parties.

“Forrester expects to see a 20 percent growth in the security services market over the next five years,” Kark said. “That’s managed services, consulting services, and software as a service. That’s huge.”

Ed Amoroso, chief security officer at AT&T, said in an interview here today that his company is seeing this shift as well. “For a long time, there was this misapprehension that we were trying to get enterprises to outsource security,” Amoroso said. “That’s not what we’re talking about. What we’re saying is that instead of the service provider sending you every bit of traffic, no matter what it is, why not have the service provider filter or block the stuff that’s dangerous or useless? If you could set a policy that told your mailman not to bother bringing you certain kinds of mail, wouldn’t you?”

But no matter who does the work, security departments are going to have to improve their ability to report what they’re doing and demonstrate its value to the business, Kark says. “Companies are starting to see that compliance, which has been the big driver for a while, isn’t a very efficient way of building security,” he says. “Security organizations need to find their own metrics for showing how well they’re doing and what value security is bringing.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...