1 In 5 Companies Cutting IT Security Spending, Our Survey Finds

Budget woes, increased regulation, and new challenges for sensitive data are on the menu for risk managers.
Money Makes The World Go Round

Despite economic pressures, compliance programs are getting funding because companies have no choice. Adam Ely, a former senior information security manager at Disney turned consultant, sees companies saying, "Let's do what we have to do to get through the next audit." That mind-set increases spending for and awareness of compliance, consultant Pironti notes, but it subverts the discussion about ongoing risk management.

Not everyone sees an increase in spending on compliance. Mike Healey, president of integrator Yeoman Technology Group and an InformationWeek contributing editor, notes that as tech funding and staffs are kept flat or reduced, even compliance audits are back-burnered "because audits aren't front-line defense." Two years ago, Healey says, "organizations had audit schedules or did it themselves. Today, they're prioritizing efforts elsewhere."

Beyond regulations, federal, state, and local laws also affect security spending. Breach notification laws didn't tell companies how to protect data; they just require that companies tell their customers when they've lost their custom- ers' data. But because no company wants to end up in a data-breach headline, those laws have been among the biggest drivers of information security spending. Similarly, laws in Massachusetts, Nevada, and other states for protecting personal information on devices containing sensitive data will certainly drive up spending for any company doing business in those states.

Security vendors are creating products to meet the new laws and regulations, but watch out for snake oil. "The side effect of compliance is that a lot of vendors are just repurposing old products as compliance solutions," says consultant Ely. "The repurposed products are claimed to solve items on the PCI checklist or standard governance, risk, and compliance initiatives." Even the governance, risk, and compliance software market, where products help you score, assess, and manage risk, is seeing an explosion of new products--not all of which are particularly useful.

One practice that Ely sees as increasingly popular and useful is data masking, a process that replaces sensitive data with legitimately formatted fake data. Here's how the practice works. Organizations have to test new applications and application patches on test systems before applying them to live systems, and they have to protect private data. Developers and testers--particularly those outside a company holding sensitive data--shouldn't be allowed to view private data, but they have to work with valid data to test their applications and patches. Data masking, for which there are many techniques and products available, generates valid but obfuscated functional data. It's a relatively straightforward process that should be employed for outsourced development tasks.

Ely also sees enterprise rights management as an increasingly useful technology because ultimately you need to manage access to data wherever it resides. Rights management controls who can do what to data. Policies define the controls required to read, write, or modify a document. Often the data is secured via encryption, so if it's sent outside the realm of the digital rights management system, it can't be viewed.

chart: What would be the effects of attacks?
The major difficulty with rights management is a lack of standard formats and interfaces among products and operating systems to uniformly manage rights. For example, if you and a partner want to exchange documents protected by rights management, you'd have to use the same system. It's good for relatively small communities of interest but doesn't scale well to a global environment. Standardized formats and protocols must be developed and implemented in products.

Work To Do

Robert Richardson, director of the Computing Security Institute, thinks there's still work to be done in the more mundane parts of security, like log management and how it relates to security and compliance. "In many cases where there is a breach, there were flags indicating a breach but they were never noticed," Richardson says. "It's like trying to find a needle in a stack of needles because most events look pretty much the same. Practitioners tell me they have a hard time getting the funding for log management because it sounds dull, but it's a necessary tool." Log analysis tackles a number of challenges, from simply getting all the logs in one location, to normalizing them, to understanding what the logs are saying and then correlating individual entries to a particular event.

Southwest Washington Medical Center makes extensive use of its health application logging facilities, says Christopher Paidhrin, the hospital's IT security and compliance officer. "Actions like accessing or modifying records are recorded so that in the event of an incident, we can trace an employee's steps," he says. "Most improper record accesses are accidents, and we can see that from the short duration of the access and the lack of a pattern of unauthorized access attempts when a mistake is made."

Paidhrin admits that much of the hospital's log monitoring is reactive, but like all security programs, it's evolving. Simply managing the volume of events and making sense of the relevant ones requires going beyond log management software to correlate discrete events into security alerts.

chart: How will security spending this year compare with last year?
That's the job of security event management systems. These big SEM systems can cost a quarter of a million dollars and then take lots of care and feeding, putting them out of reach of many organizations. Seeing a vacuum, log management vendors have been adding SEM-like capabilities such as smart searching, reporting, trending, and graphing to their product lines, but those features are a long way from correlation. Both PCI and HIPAA have language requiring regular log management and review as a best practice.

As we concluded after last year's Strategic Security Survey, don't focus on tactical missions like regulatory compliance and cloud computing; focus on the strategic mission of information security via risk management. Whether your sensitive data is in your own data center, in a cloud service, or replicated between the two, the same privacy requirements apply. Prioritize your risk requirements, determine which steps must be taken to protect your information, and then figure out what technology, product, or processes you need to mitigate your risk.