SAN FRANCISCO—Analyst firm IDC hosted its annual breakfast meeting at the RSA security conference here today, providing attendees with food—and food for thought about the latest IT security trends.
"Security evolution unites all platforms," Chris Christiansen (pictured), program vice president for IDC's Security Products and Services group, said at the breakfast.
Christiansen remarked that he's often asked about what's new in IT security, and he typically has a standard answer: that security is evolutionary, and it's not really about what's new.
"There isn't anything really new, and most people in security know what is coming," he said. "They are conservative in how they absorb new technology and test and manage that technology."
That said, Christiansen did say there are some macro changes in the IT landscape that are going to have big impact on security. Two key trends identified by IDC are mobile and the Internet of things (IoT), which IDC sees as representing a significant change in terms of the scalability of security management, sensors and client endpoints.
Regarding IoT, Christiansen said some in the security industry already view IoT security as being a disaster. IDC, however, has a somewhat more nuanced view on the issue. "We view compliance and privacy as a significant risk that is even more significant than criminals and attackers," he said.
While IoT and mobile are new and emerging trends, Christiansen emphasized that there are still common security elements that carry over from other realms of IT. Among those common elements is the need for networking security, vulnerability management and monitoring, as well as identity and authentication tools. Christiansen said that some companies he has talked with are extending existing tools to work for the IoT era.
From a risk perspective, IDC's view is that security is an elastic compromise, according to Christiansen. The compromise is a triangle that includes user experience, risk and cost, with the relative importance of each changing elastically over time and based on the deployment environment.
For example, security risk often used to be raised as the primary obstacle to cloud adoption, he said. That attitude, however, has changed over time due to the economic pressures in many organizations to drive costs down, he believes.
Looking specifically at IoT, Christiansen said that with consumer devices there is no money in security. As such, the security that is embedded in a consumer IoT device is minimal, which Christiansen expects will lead to major privacy issues and future litigation issues, especially in Europe.
One area that IDC and Christiansen see as having great potential is threat intelligence.
"Threat intelligence is at the core of all security products and services now," Christiansen said.
All the data that threat intelligence systems collect might lead to a new era of risk-based budgeting, which is where Christiansen sees a very large opportunity.
"What's really exciting is that after decades of people talking about return on investment for security, there is now finally some movement around big threat intelligence vendors to start to develop actuarial tables that predict very specifically for insurance purposes," Christiansen said.
Christiansen added that as an industry there has never been enough data classified properly for proper actuarial table analysis. Chief information security officers (CISOs) are still required to justify security spending to reduce risk. Christiansen said he spoke with a CISO of a company that had been breached and was told that even after the breach, additional security spending was scrutinized. The CISO was told by senior management that just because a breach happened once doesn't mean it will happen again. The calculation that happens at some organizations is the cost of a breach relative to how much it costs to acquire additional security technology.
"That's an ugly conversation for CISOs, and it's still happening often," Christiansen said. "That's where risk-based budgeting comes into play."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.