Physical, corporate and IT security departments have seen much activity in recent years. But trends in spending and security management show us clearly that the IT security market is not what it used to be, and all security managers (corporate, physical, and IT) are taking notice. The success of IT security vendors in the late 1990s was due to several unique factors. First, the economy was booming and technology was perceived to be a "solution" to problems and an "enabler" of business. Second, security initiatives were largely driven by a small group of security specialists "in the bowels of the IT department" who made their own priorities and were exempt from most business process justifications. And third, security marketing was effective at creating an unspecific "need" in the minds of senior business and IT managers — these managers were willing to fund security projects, but were not interested in the details.
Today, we have another unique combination of factors: The world is even more aware of security, but also asks for justification of the value of security. So, with security staff having little aptitude for speaking about the value of security to financial and business managers, many security projects are at a standstill.
For the most part, Corporate and IT security vendors don't get it. Some IT Security vendors recognised the benefits of talking about security in business terms two years ago, when Netegrity and a few other vendors showed the market that they could be successful selling a security technology directly to business unit managers. Today @stake, PricewaterhouseCoopers, Deloitte & Touche, IBM and many others publish white papers and marketing collateral promoting the view that security must map to business requirements. The executives at @stake may have the most developed of these strategies offered by a vendor. Aside from some serious shortcomings in their conception of the market (which we do not have space to address here), they attempt to translate all security concepts into terms the business manager can understand, for two reasons: (1) business managers must understand what the options are in order to make an informed decision about managing their own risks and (2) security managers need language tools and arguments for presenting the case of better security to the business. It is a small step in the right direction.
Spending on Security Technology — No Recovery for Several Years
Not surprisingly, the vendors are predicting rapid growth in the security market. I'm sure they hope to create a spending "buzz." Last fall, IDC declared that spending for security products and business continuity services will grow at a rate two to three times faster than overall IT spending — from $US66 billion in 2001 to $US155 billion in 2006 (Source: COMDEX, The Daily, Margie Semilof of www.searchwin2000.com, Tuesday, November 19 2002, p.47). But growth like that is very unlikely. There is far too much technical and procedural infrastructure needed to make vast security expenditures worthwhile. Instead, security managers have ahead of them months of retooling for a more business-oriented security posture, and years of building security architectures.
Some people and organisations that have been volume consumers of security products will continue to be. For example, security managers in large banks, defence contractors and other risk-intolerant organisations will buy products and services at the same or slightly slower rate, relative to previous years. But expect extremely conservative spending by most companies in most industries.
Considering 2002 spending patterns as an anomaly, Giga expects the general climate of IT budget-cutting to catch up with the security segment. For 2003, Giga projects lower security budgets than 2002, but slightly higher spending. How is that possible? Most companies left allocated security funds on the table — unspent since they could not justify projects in order to get approval. In 2004 to 2006, companies will learn how to put security projects in terms of business value, driving modest annual growth. Therefore, we do not expect IT security spending to match 2001 levels until at least 2005 or later.
The evidence for this is in extremely conservative spending projections by European and North American organisations. Giga collected evidence of spending and security priorities from chief security officers, heads of IT security, CTOs and business managers from the largest corporations on two continents, and from dozens of midsize organisations. The message was clear: "We are not spending money on security until we can justify it."
Justifying it is precisely what IT security managers cannot seem to do. They know, deep down, that it is useful, and perhaps even necessary. But they do not have experience communicating the value of security, or making it sound relevant to business managers.
Of course, a dramatic cyber terrorism event, or a sudden increase in malicious Internet-borne activity could cause an uptick in security spending. But reactionary spending of that sort is usually poorly planned and not long lived and also backfires in the long run. Companies that spent money foolishly are now more conservative about spending.
The Key to Success
The key to success is to improve the operational efficiency of security while simultaneously improving effectiveness. That means cutting costs, streamlining processes and closing windows of opportunity for loss, while carefully selecting only those technologies and projects that actually relate to business requirements. At the same time, vendors should clearly communicate the business and technical problems they aim to solve or address.
In IT security specifically, the leading security initiatives throughout 2003 will reflect security architecture and policies across 5 categories:
1) Streamline the authentication infrastructures with enrollment and registration tools, single sign-on and password management.
2) Distribute authorisation technologies such as firewalls, content filtering and antivirus to the local network segments and systems where they will do the most good. Focus on operating system and application protection.
3) Coordinate administration tasks across business units and business partners. Utilise provisioning, user administration and identity management.
4) Organise an effective audit methodology, including intrusion management, compliance management and other technologies related to response and reporting.
5) Engage consulting and managed security services for strategic planning and short-term relief from tactical tasks.
- Steve Hunt is the VP, Security at Giga Information Group, a wholly owned subsidiary of Forrester Research.