By Stephen J. Bigelow, Senior Technology Writer
Earlier this year we surveyed over 700 of our readers -- your potential security clients -- and learned a lot about their security product preferences, technological interests, deployment plans and funding intentions. The following report summarizes our findings and offers some practical insights that can help solution providers like you meet the security needs of your busy clients.
IT professionals paying more attention to security issues and technologies
Survey respondents made it clear that they have a strong positive outlook for security, and almost 91% of security professionals believe that their security will improve in the months ahead.
Compliance and corporate governance requirements are influencing security. Over 75% of respondents believe that compliance will take a greater prominence in security planning. This attitude is buoyed by greater management support and endorsement. Almost two-thirds of security professionals say that top IT managers care more about security, while over half say upper management and CEOs are more concerned about security.
Compliance requirements and management attention are shaping security into a long-term strategic issue, rather than a tactical response. Over two-thirds of respondents believe that security will take on an increasingly strategic role in IT in the near future. "That is what we security people have been pushing for all these years," said Andrew Plato, president of Anitian Enterprise Security, a solution provider headquartered in Beaverton, Ore.
Compliance concerns will likely outweigh strategic planning in the near-term. "I believe the desire to improve security posture is still at the forefront," said Allen Zuk, president and CEO of Sierra Management Consulting LLC, an independent technology consulting firm. "However, I think more focus will be on meeting compliance needs and less so on more strategic requirements."
As a result of these trends, security solution providers will no longer need to convince a client why security technologies and services are needed. While a sound cost/benefit justification is still a crucial part of any security project proposal, solution providers can focus more attention on understanding and mitigating their clients' risks.
IT professionals have confidence in current security programs
We gauged security professionals on the status of 13 notable security programs: application security, incident response, intrusion detection/prevention, policy creation/enforcement, regulatory compliance, reporting, ID management and access management, threat management, vulnerability management, security metrics, IT risk management, end user education and data protection.
Respondents believe that their current security programs are at least "average" in all 13 different security programs. While many security professionals believe that they are better in numerous technology areas, the three biggest areas where respondents feel that they are doing "better than average" are intrusion detection/prevention (34.5%), vulnerability management (32%) and data protection (30.3%).
Security professionals also expressed weakness in some areas. The biggest area where respondents feel their processes are outdated is end user education (23.2%). "The biggest security weakness is the human factor," said Pete Sclafani, senior director of IS and Strategy at UnitedLayer, a managed Internet service provider located in San Francisco. While monitoring and consistent enforcement can address end user oversights, Sclafani suggests regular education to keep users in the security discussion -- solution providers can often generate additional revenue through ongoing user education. "Some continuing personnel education can be as simple as a 'lunch and learn' on a regular basis."
The next most significant weaknesses that security clients named are in security metrics and measurement (21.9%) and visualization and reporting (21.1%). Without appropriate security metrics, it can be difficult to justify security expenditures (especially in a tight economy). Weak visualization and reporting also make it difficult to track the business effects of new security and other business policy changes. "After an audit, you may remove some inefficiency in a business process," Sclafani said. "But you have to remember to show this ROI to management when they see the price tag."
Although the survey did not gauge security assessment, experts are quick to underscore the need for periodic assessments of threats and vulnerabilities. Internal self-assessments and policy reviews are certainly a start, but independent audits are invaluable for larger organizations -- especially those governed by major compliance regulations. "A key element to judging security posture and fitness is to engage an independent third party to analyze security and offer a qualified opinion," Plato said.
Security market consolidation affects IT preferences
Mergers and acquisitions have profoundly changed the security product landscape. This consolidation has altered the solution provider's line card and molded the attitudes of security professionals.
Mergers and acquisitions don't scare off most clients. Over 75% of those surveyed would continue to buy products from a security vendor that has been acquired. For example, clients still buy products from RSA even though it has been acquired by EMC.
Mergers and acquisitions have also resulted in a distinct slant toward "big-brand" vendors -- clients favor recognized names, and about 58% of respondents are reluctant to buy from small security vendors or startups. Security professionals want vendors that are going to be around to support the product throughout its lifecycle. "Smaller vendors may have a chance," Sclafani said. "But being able to have someone pick up the phone at 3 a.m. when there is a security incident is priceless."
The big-brand trend has also brought disadvantages to security users, the most notable being integration problems. The acquired technology is invariably integrated into products offered by the parent company -- often resulting in performance and support snafus that may take months (or even years) to resolve.
Solution providers like Plato lament the trend toward big-brand selection, noting that the most innovative and proactive security technologies often originate from smaller, newer security vendors. "Cisco is rarely considered a leader in any security technology," Plato said. "Yet Cisco is often adopted simply because of its brand recognition. This is arguably the worst way to select a security technology."
Plato acknowledged the dangers of using smaller, lesser-known products, but emphasized that the benefits in features and performance can far outweigh those risks. Solution providers that partner with smaller vendors will need a compelling argument of solid performance and support to get those vendors into the enterprise.
Market evolution has also prompted other considerations. Almost 70% of clients favor products from larger vendors with integrated features and "single pane of glass" management, which is handled through a single interface rather than having to switch between computers or applications to handle various functions. Security solution providers can integrate security products into existing management consoles using APIs or standards like SNMP. "Finding a good interface that covers all of your security products is tough," Sclafani said. "We are seeing companies getting the raw data and rolling their own [management interface]."
Almost 80% of clients favor best-of-breed security products, though solution providers note that the product must offer a clear path to improvement (or greater efficiency) in order for the investment to make sense. Solution providers must match the feature set to the needs of their clients while keeping budget constraints in mind. "Best-of-breed can mean big money," Sclafani said.
Solution providers need to consider the platform that's most appropriate for their clients. About 64% of respondents prefer security functionality in the network fabric, while 55.6% prefer security functionality in the OS or applications. Most solution providers choose to recommend a layered approach that addresses numerous elements, such as the gateway, firewall, network and endpoints. A layered approach helps to ensure that a threat that escapes detection in one place will be caught in another. Application security is a growing concern. "Application-level security practices are fast gaining ground and becoming a de facto requirement for organizations that are deploying new or updated applications," Zuk said.
IT pros expect to spend more time and effort on key security activities
We asked respondents about the time they intend to spend on 19 security activities: threat management, vulnerability management, endpoint security, mobile device security, identity management, compliance, application security, governance and risk management, physical/logical security integration, virtualization, Web app security, data leakage, encryption, database security, wireless security, VoIP/unified communications security, data classification and governance, policies and end-user education, and data protection.
Security professionals expect to spend the most time on nine of the 19 security activities listed, with mobile device security (48.1%) and endpoint security (46.5%) topping the list. This underscores a high sensitivity to the security of user devices, and it's certainly not a surprise to experts. "Mobile and endpoint security are also areas us security people have been concerned about for years," Plato said. "It's encouraging to hear that the market is aligning with that concern."
The remaining seven priorities include data protection (46.3%), wireless security (45.6%), encryption (44.9%), compliance (44.7%), policies and end-user education (44.7%), Web app security (42%) and virtualization (41.4%).
Experts like Zuk point out that nontechnical security issues and posture are often overlooked by even the largest organizations across every vertical. "Nontechnical security issues are getting organizations in the hot seat more than the technical aspects," Zuk said, citing a case where a member of Great Britain's security organization, MI5, apologized for losing classified documents on a train. While there is no technology that can prevent such incidents, solution providers can offer training and support to forestall such faux pas.
Expect to see key security technologies evaluated and deployed by IT
We also asked security professionals about the status of many different security technologies to learn what they've already deployed, what they plan to deploy, and what they intend to evaluate in the near future.
Once again, respondents see user devices (endpoints) as one of their biggest threats. In the area of threat management, respondents express the greatest interest in evaluating (32.1%) and deploying (16%) mobile device protection along with evaluating (22.3%) and deploying (12.1%) endpoint security technologies.
Security professionals need to understand what's happening in their environment in order to exercise efficient control. In the area of vulnerability management, respondents express the greatest interest in evaluating (22%) and deploying (13.1%) configuration management products, along with evaluating (25.1%) and deploying (15.5%) log management technologies. "Configuration management also allows for opportunities for automation and troubleshooting," Sclafani said. "Being able to customize monitoring thresholds and parse boatloads of logs from around the network is a biggie."
Encryption stood out in the realm of data protection. Respondents expressed the greatest interest in evaluating (28.9%) and deploying (13.4%) hard disk encryption along with evaluating (27.3%) and deploying (16.4%) laptop encryption technologies. The interest in encryption is driven by compliance and liability concerns. "Lots of news stories on stolen data could very easily have been avoided if the laptop had been encrypted or secured properly," Sclafani said.
Security technologies rarely succeed on their own merits. Solution providers must balance technological selection with a business model that includes well-established policies and a corporate culture that embraces a commitment to security.
Finding funding for security remains a challenge
The last part of our survey asked about security funding. While there's confidence in security and there's a lot of activity and interest in security technologies and practices, finding the money to meet your clients' security needs may prove problematic.
Funding can be scarce -- about 44% of respondents will only spend up to $100K for the entire year. Another 15% will only spend up to $250K, and only 9% up to $500K. Stated another way, about two-thirds of your prospective clients won't spend more than $500K on security. Only about 32% of respondents have budgeted more than $500K for the year.
Most budgets will not increase much over the previous year; 10.5% of respondents foresee a budget increase up to 5%, 14% plan for a 5% to 9% increase, another 14% look forward to a 10% to 24% budget increase, and 6.5% of respondents expect a budget increase of more than 25%. Only about 5% of respondents expect a decrease in their security budget for the coming year, and about half of respondents report no change in their security budget for the coming year (or don't know).
"While most organizations probably do not intend to trim their budgets, solution providers and channel distributors will need to ensure that the solutions that they are providing are scalable and can deliver broader support to meet the customer's needs," Zuk said.
Ultimately, the onus is on solution providers to understand their clients' needs and make every dollar count by selecting security technologies that are versatile, robust and highly integrated. "If security isn't tackled holistically, you end up with a crappy strategy that will be full of holes within months of implementation," Sclafani said. Providers can improve their pitch by tying a rapid ROI to cost-effective security recommendations that address the client's tangible business needs.