Security spend grows but reactive, not agile security dominates: Telsyte

Foad Fadaghi, Telsyte

Many Australian companies continue to throw money at their existing security platforms despite the need for deeper policy change driven by an onslaught of new technologies and the threats they introduce, new survey data has revealed.

Speaking at an Agile Security breakfast in Melbourne hosted by CSO and sponsored by NetIQ, Telsyte research director Foad Fadaghi shared the results of the company’s 2012 Australian IT Security Study.

Of more than 300 IT decision-makers surveyed, 29 per cent reported that security budgets will increase in the next twelve months, with a 14 per cent average rise in spending.

Around a quarter of companies said the spate of high-profile hacking incidents during 2011 had inspired them to revisit their own security policies, with 48 per cent and 46 per cent of respondents saying the incidence of malware and spam threats had increased in the last year. By contrast, half or more of respondents said mobile, cloud and network intrusion-related threats had stayed the same and one in five felt those threats were decreasing.

Three-quarters said the incidents had prompted increased awareness amongst senior management and board members, while half reported an increased focus on operating system and 42 per cent said they had increased their focus on backups and disaster recovery.

Interestingly, amongst those affected by the 2011 incidents, 39 per cent said the high-profile events had made it easier to get approval for security spending, and 36 per cent had seen their general security budget increased.

Although this reflects a growing awareness of critical security issues, Fadaghi warned against complacency, saying that money isn’t enough by itself to protect companies for whom security has often been difficult to approach in a focused and coherent manner.

“Preparedness comes from vision and process, not just budgets and reactive spending,” he said. A better long-term strategy is for companies to adopt ‘agile’ security principles that, like the agile development processes currently revolutionising the process of building enterprise applications, are built around near-continuous review and an ever-present willingness to adapt security strategies to new threats and changing circumstances.

This had been difficult for many companies, who faced assaults on so many levels that agile security remained an elusive concept rather than an actionable strategy.

“The proliferation of these technologies has been happening very quickly,” Fadaghi explained. “It has put too much on most people’s plates, and we’re getting distracted from being agile enough to deal with them. In a couple of years, we could see cloud and mobile becoming persistent issues on their own.”

Despite the potential impact of these threats, fully 65 per cent of companies will retain existing spending levels – suggesting that many companies are still failing to recognise the long-term compounding effect of new security threats posed by technologies like Web applications, cloud computing, and mobile devices.

Only 18 per cent of respondents said cloud data security was a critical priority. Mobile security was named by 22 per cent as critical, and nearly one in six respondents reported issues around mobile threats. While advanced persistent threats were an area of strong concern, social networks were particularly worrying given the amount of data they are accumulating about individuals’ likes, histories, and daily activities.

“It’s no surprise that persistent threats are at the top of the scale, but more businesses are experiencing threats related to mobile and social engineering,” Fadaghi said, noting that 14 per cent and 15 per cent of respondents, respectively, had reported security incidents related to social engineering and mobile technologies.

Only 21 per cent of respondents said they intended to add mobile device security software in the next 12 months – despite malware being the respondents’ top security concern.

“There is an enormous amount of data that every day is being shared on social networks,” he said, “creating a pool of information that is primed for people looking to expose social engineering as a threat. The cloud is really a honeypot for information.”

As companies move to embrace cloud, mobile and other new technologies, the key was to integrate security from the ground up rather than allowing it to be an afterthought.

“Agile security means taking less reactionary tactics in the event of an incident,” he said. “Security is increasingly becoming part of the day-to-day processes we put in place. If we have good information security as part of our processes, when a technology like media tablets comes along we can be more confident in using it.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts