A new report from International Data Corp. is putting recent data behind the security adage that processes and people are more important than technology in preventing either malware infections or breaches of sensitive data.
Sponsored by the non-profit International Information Systems Security Certification Consortium -- (ISC)2 -- the report ranks the most important elements of a security infrastructure.
The top three include support from top managers for security policies, the need to have users consistently follow security policies and an IT department or solution provider with a qualified staff with up-to-date training. Security software and hardware don't show up as factors until after those top three are met, the report said.
The good news is that responsibility for establishing and enforcing a security policy is more often spread throughout top managers in IT as well as business managers, rather than specialists who operate at the margins of the business, rather than at its core.
That change is partly driven by a greater awareness of the risks of electronic break-ins, the acceleration in the number of threats a typical company faces and the cost of having sensitive data compromised.
Those human responsibilities and the proper maintenance of both policies and technology, often difficult to cure without consulting and ongoing services and support from outside, are a perfect target for value-added resellers (VARs) and security consultants, according to Jeff Kaplan of THINKstrategies Inc. in Wellesley, Mass.
According to a report from the Ponemon Institute, data breaches cost U.S. companies an average of $182 per compromised record – 31% more than last year.
Costs include everything from production and postage for notification letters to legal fees to absorbing the cost for credit-monitoring subscriptions customers can use to spot any potential fraud stemming from the data loss, to the cost of losing a customer altogether.
The Elk Rapids, Mich.-based consulting company studied 31 companies that had suffered significant data breaches, the total cost of which ranged between $1 million and $22 million.
The IT costs, beyond the addition of preventative measures, were negligible.
The problem, according to the Ponemon report that was published in March, is that few companies can identify a specific person or department that is responsible for protecting all a company's data. Assigning that responsibility improves security measurably, the report said.
IDC's finding, published Monday, is a step forward in that area, not only for the end-user companies, but also for the service companies they hire to reinforce their own efforts.
IDC estimates that the global population of IT professionals increased 8.1% between 2005 and 2006, and will continue to rise at about 8% per year through 2010.
Among those employing the new IT workers, education in information security and risk management has become the No. 1 goal. Business continuity and forensics follow closely behind.
End-user organizations spend an average of 41% of their security budgets on personnel and training.
Those factors, plus the increasingly stringent financial-documentation requirements of U.S. and European companies have caused a number of previously disparate functions to merge into a market defineable as centering on "security compliance and control" (SCC).
SCC products and services include content control, information-security auditing and documentation, version control, records management, vulnerability management, identity and access management, and compliance services.
IDC estimates that products and services that can be described as falling under the SCC banner will reach $7.4 billion by the end of the year.
Much of that market – certainly the products and most of the services – will be fulfilled by value-added resellers and specialty security services companies, analysts said, making security a strong and stable market for VARs and integrators through at least the end of 2010.
Dig deeper on Regulatory Compliance