Tech in Depth: As the cyber-security battle continues, the effect of the recession on security budgets combined with the rise of Web 2.0 puts new emphasis on anti-malware protection, patch management, data loss prevention and safer social networking. Internal communication is vital as companies brace for continued cyber-crime and the advent of HTML5.
Security challenges for organizations are tougher than ever.
Old scourges such as malware are taking on new potency as penetration tools and
exploit kits are becoming more of a commercial affair, as attack sophistication
is increasing through years of the ever-escalating battle of security
researcher versus cyber-criminal and as more employees and customers are
interacting with the omnipresent Internet in more ways.
What's worse, the strained economy is putting more pressure
on organizations to cut back on the scope of and spending on their security
infrastructures. PricewaterhouseCoopers' 2010 report, "Trial by Fire,"
based on its Global State of Information Security Survey (with CIO Magazine
and CSO Magazine) of more than 7,200 CEOs, CIOs, chief information security
officers, chief financial officers "and other executives responsible for
their organization's IT and security investments in 130 countries," points
to reductions in scope and delayed implementation as the predominant current
methods of cost control for security projects.
Unsurprisingly, 2009 was the first year of the past four in
which the percentage of respondents indicating that security "spending
will increase" decreased notably-by 6 percent-yet
over 50 percent of respondents said they were "concerned about cost
reduction efforts that make adequate security more difficult to achieve." They
also said they believe that "threats to the security of their business
assets have increased."
Given the increased threats and the spending pressures, IT
admins have their work cut out for them, not only to fend off the attacks (the
tools and strategies for which should be pretty familiar by now) but to
effectively make a case to the financial folks in their organizations for the
investments that need to be made. In corporate America,
unlike governmental America,
leaders are no longer willing to shell out big bucks simply to feel safe. CISOs
now need to not only demonstrate that corporate assets are secure, but also provide
numbers indicating the value of this safety.
Increased collaboration between business and IT security
leaders is of major strategic importance. Fewer resources are being devoted to
dedicated security functions during the economic downturn, and business leaders
frequently require cohesive and convincing plans in advance of security
expenditure. It's rapidly becoming unacceptable to implement new or upgrade
existing security measures without a clear statement of objectives and a
reliable method of measuring success.
This is true down the line from management to security
practitioners in the trenches. Communication, in the form of alerts and
reports, is essential not only for the security apparatus to act efficiently
but also to document that the apparatus is effective. In many ways, increased
attention as a result of governance, risk and compliance initiatives is driving
IT security departments toward greater transparency. It starts with well-designed
and integrated security approaches that can be centrally provisioned and
administered, such as anti-malware, DLP (data
loss prevention), vulnerability assessment and software patching. The ability
to manage threats and combine reports across solutions logs is becoming more and
Matthew D. Sarrel, CISSP, is a network security,product development, and technical marketingconsultant based in New York City. He is also a gamereviewer and technical writer. To read his opinions on games please browse http://games.mattsarrel.com and for more general information on Matt, please see http://www.mattsarrel.com.