September 30, 2011
According to our survey data dating back to 2008, despite year after year of high profile security breaches from Heartland Payment Systems to Wikileaks to Sony, security budgets have only increased by single digits. This is hardly enough to keep up with the increasing sophistication of attacks, the avalanche of breach notification laws and the changing business and IT environment.
The changing business and IT environment is perhaps the greatest concern. With a massive explosion of mobile devices and other endpoint form factors and an ever expanding ecosystem of customers, partners, clouds, service providers and supply chains, you increasingly have less and less direct control over your data, your applications and end-user identities. We refer to this expanding ecosystem as the “extended enterprise.” An extended enterprise is one for which, a business function is rarely, if ever, a self-contained workflow within the infrastructure boundaries of the company. We believe that the extended enterprise is such a major shift for CISOs and security professionals that we dedicated our upcoming Security Forum to it as well as a significant stream of research.
But back to security budgets. I have a few theories that I’ve been exploring with the rest of the Security &Risk (S&R) team. First, security professionals are uncomfortable applying risk management concepts to security. We just don’t believe that it’s possible to estimate the probability of the occurrence of specific security risks and we’re certainly not good at quantifying the impact to the business (whether it can or can’t be done is another blog post). Unfortunately, this is typically how business leaders make decisions. Second, we haven’t done a good job of tying the value of security investments back to business objectives. That probably explains why for the past three months, our most read research report is Ed Ferrara’s report on executive-level security metrics, Don't Bore Your Executives — Speak To Them In A Language That They Understand. Lastly, while we have made strides changing our perception in the organization that we are no longer the “Department of No”, we still have a long way to go. When I talk with other IT leaders and professionals like CIOs and app dev professionals and non-IT leaders like procurement specialists and marketing execs, they avoid engaging security like the plague. They often complain that security pros dive into technical controls and issues without understanding the initiative and the security team is notorious for holding up anything they are working on. Deserved or not, that’s our reputation.
What do you think? Are these the main issues?