Compliance drives opportunities for security integrators

At the 2009 RSA Conference, new regulations and initiatives such as NERC, HITRUST and CNCI could signal some opportunities in healthcare and energy verticals.

SAN FRANCISCO -- Industry experts, VARs and executives at the 2009 RSA Conference said that despite a difficult economy, the large influx of government funding around energy and healthcare could be a boon for the channel.

"We're seeing a big increase in demand around critical infrastructure," said Walter Pritchard, managing director and senior research analyst with New York-based Cowen and Company LLC, in an interview at RSA. "Initially it will be in the service sector and then we expect it to follow through with demands for products in 2009/2010."

Last year the Federal Energy Regulatory Commission (FERC) adopted the first mandatory and enforceable reliability standards to address cybersecurity on power systems in the U.S. These standards, developed by the North American Electric Reliability Corporation (NERC), coupled with the recent report of malware on electrical grid computer systems, make this an opportunity for both VARs and vendors.

"SCADA systems, NERC and FERC are hot because the energy sector needs to be auditable in 2009 and fully compliant in 2010," said Joe Magee, chief technology officer for Vigilant LLC, a security integrator.

See all our coverage of RSA Conference 2009: and Information Security magazine editors are in San Francisco to bring you the biggest RSA Conference 2009 news stories, interviews, podcasts, videos and more.

On the healthcare front there are a number of factors that make it an attractive vertical for security VARs. First is the recent enforcement of HIPAA that has some healthcare organizations scrambling to ensure they meet the regulation. Second, the economic stimulus package, or the American Recovery and Reinvestment Act of 2009, mandates the need for electronic health documents and the ability to keep them private and secure.

To help with this effort, last month several leading healthcare organizations announced the Health Information Trust (HITRUST) Alliance, a private, independent company created to enhance the secure storage and exchange of healthcare data. A key part of that effort will be advancement of the Common Security Framework, a single set of security governance and control practices that all organizations dealing with health data can use to measure their ability to keep data secure.

"With the rumblings of the HITRUST Alliance and e-health initiatives, we're seeing an uptick in sales from the healthcare vertical," said Mark R. Carney, managing director of strategic services for Kansas City, Mo.-based vendor FishNet Security Inc. "A renewed focus on HIPAA and healthcare breach-notification requirements will drive more healthcare business for our organization over the coming months."

In addition to protecting critical infrastructure and health records, the federal government has earmarked billions of dollars to strengthen and secure its own networks.

"You'll see a big increase in federal demand as [Comprehensive National Cybersecurity Initiative] CNCI provides the funds for necessary security upgrades," said Rob D. Owens, vice president and senior research analyst for Portland, Ore.-based equity research firm Pacific Crest.

While the government beefs up its own infrastructure and funnels dollars into new initiatives, existing compliance demands will continue to drive spending.

"Compliance and managing risk is job one," said Doug Leland, general manager of Microsoft's Identity and Security Business Group, adding that security spending is up in terms of relative IT spending. Leland also said membership into Microsoft's Security Software Advisor (SSA) program was up 300% year-over-year to 24,000 partners.

FishNet's Carney said interest in data loss prevention has increased as states such as Massachusetts enact data privacy laws. "FishNet is seeing an interest in data classification, data lifecycle flow analysis, and how to specifically protect structured and unstructured data," said Carney. "It's all about [compliance] and its all about the data."

Dig Deeper on Regulatory compliance with cybersecurity laws and regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.