Security challenges for organizations are tougher than ever. Old scourges such as malware are taking on new potency as penetration tools and exploit kits are becoming more of a commercial affair, as attack sophistication is increasing through years of the ever-escalating battle of security researcher versus cyber-criminal and as more employees and customers are interacting with the omnipresent Internet in more ways.
What's worse, the strained economy is putting more pressure on organizations to cut back on the scope of and spending on their security infrastructures. PricewaterhouseCoopers' 2010 report, "Trial by Fire," based on its Global State of Information Security Survey (with CIO Magazine and CSO Magazine) of more than 7,200 CEOs, CIOs, chief information security officers, chief financial officers "and other executives responsible for their organization's IT and security investments in 130 countries," points to reductions in scope and delayed implementation as the predominant current methods of cost control for security projects.
Unsurprisingly, 2009 was the first year of the past four in which the percentage of respondents indicating that security "spending will increase" decreased notably-by 6 percent-yet over 50 percent of respondents said they were "concerned about cost reduction efforts that make adequate security more difficult to achieve." They also said they believe that "threats to the security of their business assets have increased."
Given the increased threats and the spending pressures, IT admins have their work cut out for them, not only to fend off the attacks (the tools and strategies for which should be pretty familiar by now) but to effectively make a case to the financial folks in their organizations for the investments that need to be made. In corporate America, unlike governmental America, leaders are no longer willing to shell out big bucks simply to feel safe. CISOs now need to not only demonstrate that corporate assets are secure, but also provide numbers indicating the value of this safety.
Increased collaboration between business and IT security leaders is of major strategic importance. Fewer resources are being devoted to dedicated security functions during the economic downturn, and business leaders frequently require cohesive and convincing plans in advance of security expenditure. It's rapidly becoming unacceptable to implement new or upgrade existing security measures without a clear statement of objectives and a reliable method of measuring success.
This is true down the line from management to security practitioners in the trenches. Communication, in the form of alerts and reports, is essential not only for the security apparatus to act efficiently but also to document that the apparatus is effective. In many ways, increased attention as a result of governance, risk and compliance initiatives is driving IT security departments toward greater transparency. It starts with well-designed and integrated security approaches that can be centrally provisioned and administered, such as anti-malware, DLP (data loss prevention), vulnerability assessment and software patching. The ability to manage threats and combine reports across solutions logs is becoming more and more important.