Hacks focus CIOs on IT security

news After the spate of high-profile hacking incidents in 2011, Australian CIOs and IT and security managers are taking no chances this year. According to new research by local analyst firm Telsyte, Australian enterprises will increase their security spending and change their information security strategies in 2012.

Telsyte said that it surveyed more than 320 senior IT executives on their information security priorities, spending intentions, and products and services usage as part of the Telsyte Australian CIO information security priorities study 2012, which the company claims is one of the largest local market research studies of its type.

The study indicated that nearly a quarter of Australian enterprises plan to change their security strategies as a result of the events of 2011. It said that an increased awareness of security among the board and senior management members represented the most significant strategic shift. There is also going to be more focus now on operating system security, backups and disaster recovery.

According to Telsyte senior analyst Rodney Gedda, for many Australian CIOs and security engineers, the untoward events of 2011 have turned into a blessing. “Security is often viewed by senior management as an unwanted operating expense, but when the company’s reputation and revenue is exposed, as demonstrated so flagrantly last year, security becomes more strategic,” said Gedda.

Going by Telsyte’s research, security spending is also on the up with 29 per cent of organisations planning to increase their budget in 2012.

“With security spending on the up this year, CIOs are looking to engage with numerous providers to defend their organisations against increasingly multi-faceted threats,” said Gedda. The top security priorities for CIOs is stopping malware and preventing external attacks, but there is an increasing amount of concern around the threat that mobile devices like smartphones and media tablets pose, as well as cloud computing. The study pointed out that approximately 20 per cent of CIOs rate mobile and cloud security as a critical priority and around one-third rate them as very important.

“While mobile and cloud security are still relatively low on the security priority list for CIOs, these will become an increasing priority, particularly if there are high-profile incidents relating to these two trends,” said Gedda. He added, “A significant percentage of organisations have experienced at least one information security breach over the past 12 months, indicating threats are very real and require constant defence. Mobile security incidents outnumber cloud data breaches, but with the events of 2011 looking to continue this year CIOs need to be prepared for a high-profile security incident outside their organisation’s borders.”

opinion/analysis
It’s all very nice to say that CIOs are increasing spending on security, but what does this really mean? IT security vendors have known for a very long time that the desktop PC security market — where most of the threats come into organisations — has been commoditised. Virtually every large organisation has a comprehensive anti-virus/anti-malware ‘kitchen sink’-style suite installed on their employees’ desktop PCs and has had for years.

The same is often true of server environments. Firewalls, server-side email anti-spam/anti-malware suites, server protection tools, off-site backup and disaster recovery … much of this has been in place for years. And physical building security is pretty well understood.

One area which I would think organisations would need to look more closely at would be more discrete data protection. That is, not just throwing a security blanket over an organisation’s entire data set, but looking at what sets of data are critical to the organisation and need to be protected with higher levels. Any data used by the top levels of executive management, for starters: You don’t want the CEO’s email or the CFO’s spreadsheets being stolen. Customer database, secret product development initiatives; this kind of stuff.

Anything that’s going to provide the organisation with a sustainable market advantage, or threaten ongoing operations, probably needs a higher level of protection than run of the mill information.

I would also bet that some organisations are starting to invest, finally, in data encryption. For the longest time, corporate data has been firewalled off and scanned for malware; but it hasn’t been encrypted. But mass corporate encryption, with the tools to do so centrally administered, could do a lot for data leakage. Even if you can steal the data, it won’t mean much if it’s scrambled.

Opinion/analysis by Renai LeMay