BOSTON, Mass. -- Forrester Research Security Conference 2008 -- The goals haven’t changed. But for many security departments, the methods of getting there are gradually shifting on a tectonic level, a Forrester Research’s security expert said here today.

In his keynote address, Khalid Kark, principal analyst for security at the industry research firm, revealed data from Forrester’s annual security survey which indicate that the ends of today’s enterprise security efforts aren’t changing, but the means are. “The good news is that the priorities we set last year and before were the right ones, and security is becoming more visible in the organization,” Kark said. “The bad news is that the security organization doesn’t know how to deal with the visibility, and the problems are not well defined.”

In a study of more than 1,100 security decision-makers at North American companies, Forrester found that after a slight dip in 2007, security is once again the top priority among IT departments, gaining the top spot in 50 percent of responding organizations. In fact, respondents said that when the year is through, security will make up 10 percent of IT spending, up from 8 percent a year ago. More than 20 percent of respondents expect security spending to increase in 2009.

“About half of that is driven by compliance efforts and recent security breaches and media coverage that make the problem more visible,” Kark said. “But I think the other half is that the security managers are doing a better job of making their case within the organization, and they’re starting to see some results.”

For the most part, IT security goals have remained the same in the past year, Kark said. Protecting customer data, cited as “very important” by 54 percent of respondents in 2007, was cited by 59 percent this year. Protecting sensitive corporate data and intellectual property, cited as “very important” by 38 percent in 2007, is up to 54 percent. Developing business continuity strategies and managing regulatory compliance also showed slight increases in importance.

However, this increasing visibility is exposing some of the flaws in the current enterprise security model, Kark said. “It’s forcing security to redefine the problem,” he said. “For example, data protection is important, but does that necessarily mean more encryption? [Respondents] ranked protecting customer data as a higher priority than protecting corporate IP, but do they really have a choice there? These are questions that organizations are struggling with.”

Part of the problem is that with its new-found visibility, security has become a priority for executives all over the enterprise. “We found in this study that in addition to the person he or she directly reports to, the average CSO reports indirectly to five or six other people within the organization,” Kark says. “Isn’t that too many bosses?” he wondered. “This makes it difficult to set priorities.”

Some organizations are solving this problem by moving the security manager -- even the whole security department -- out from under the IT organization and into a broader role. About 30 percent of Forrester’s survey respondents say they have at least a dotted-line reporting responsibility to a president or CEO, and another 19 percent said they report to some type of executive board. “So much of the security problem is about data, not about IT or infrastructure,” Kark said.

These new reporting responsibilities, along with new business visibility, mean that IT security people can no longer spend all of their time on operational issues, Kark stated. “If you’re going to be working with the business, you can’t spend all of your time fighting fires,” he said. Security departments are learning to hand off some of the operational issues to other parts of the IT organization, or even to third parties.

“Forrester expects to see a 20 percent growth in the security services market over the next five years,” Kark said. “That’s managed services, consulting services, and software as a service. That’s huge.”

Ed Amoroso, chief security officer at AT&T, said in an interview here today that his company is seeing this shift as well. “For a long time, there was this misapprehension that we were trying to get enterprises to outsource security,” Amoroso said. “That’s not what we’re talking about. What we’re saying is that instead of the service provider sending you every bit of traffic, no matter what it is, why not have the service provider filter or block the stuff that’s dangerous or useless? If you could set a policy that told your mailman not to bother bringing you certain kinds of mail, wouldn’t you?”

But no matter who does the work, security departments are going to have to improve their ability to report what they’re doing and demonstrate its value to the business, Kark says. “Companies are starting to see that compliance, which has been the big driver for a while, isn’t a very efficient way of building security,” he says. “Security organizations need to find their own metrics for showing how well they’re doing and what value security is bringing.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.