Data protection will be the top security initiative for most UK organisations in 2012, a survey of IT professionals has revealed.
Media focus on the topic is driving public awareness as increasing powers of the Information Commissioner’s Office draw the board's attention to the risks.
This is reflected in the fact that 43% of UK organisations polled by Computer Weekly publisher TechTarget said they plan to implement data protection initiatives in the coming year.
Similarly, 21.6% plan to invest in identity and access management and 23.9% in threat management, including anti-malware systems.
Analysts say the focus on data protection may also be linked to the fact that the Information Commissioner’s Office (ICO) is increasingly exercising its power to impose monetary penalties of up to £500,000 for serious data breaches.
In a difficult economic climate, limited financial resources play a guiding principle in many of the information security spending decisions for the coming year.
A more data-centric approach to security has been advocated for quite some time, yet 40.9% of the UK companies polled plan to invest in network-based security in 2012.
In reality, data-centric security remains out of reach for most organisations as their information security strategy and operational readiness remain immature.
Back to basics
In these current times of austerity, businesses often consider it imperative to maximise the spread of protection and to concentrate on the basics, according to Mark Brown, chief information security officer at SAB Miller.
Consequently, businesses are concentrating on network security to establish a baseline maturity before tackling more focussed security issues, he told Computer Weekly.
According to the survey, the third highest area of security investment in 2012 for UK companies is application security, yet it remains relatively low at only 26.1% of businesses polled.
The constant need for agility in software development has left most businesses with badly developed application source code vulnerable to exploitation by hackers. But many businesses have not invested sufficiently in perimeter security controls for years and are now having to catch up.
“With limited budgets, it is often a case of providing security protection in alignment with a maturity model, starting with the basics and then advancing up the capability curve,” said Brown.
Only once a sense of security has been achieved in the network perimeter, will a move to focus on application security be achieved, he said.
Mobilisation is another hot topic in business IT, but according to the survey only 28.4% of respondents plan to implement mobile security initiatives in 2012. While this appears relatively low, despite the hype, the actual figures of adoption throughout enterprise of smart mobile endpoints remains dwarfed by traditional IT deployments.
Another reason that mobile device security implementations are relatively low – despite IT security managers ranking mobile device security as a top pain point – is that security solutions have not caught up to the problem at hand, according to Daniel Kennedy, research director at 451 Research, a division of The 451 Group.
Piers Wilson, senior manager in the information security practice at PriceWaterhouseCoopers, said only around a third of companies are actively looking for security around mobile devices, because the front runners have already implemented such systems and the remaining third are not yet ready.
Cloud and virtualisation security
Cloud and virtualisation security are fairly low on the priority list at 9.1%, but according to SAB Miller’s Mark Brown, many companies have already virtualised environments and answered the security queries this rationalisation poses.
Cloud security, he says, is not a topic that has gained widespread adoption across multinational corporations, often hamstrung because of the legacy legislation and compliance burdens which have not kept pace with advances in technology and working practices.
According to 451 Research, most adopters of Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) are going with whatever the cloud provider offers. This approach, said 451 Research’s Daniel Kenney, suggests a fairly nascent space.
“However, the majority of cloud implementations we are seeing would be termed private cloud or in-house/in-datacentre implementations of a cloud capability, such as rapid or automated provisioning, and when it comes to private cloud, security managers revert to the ‘hopefully my existing products will work’ approach,” he said.
The trends in security initiatives to be implemented in 2012 roughly follow the adoption patterns of new and emerging technologies, tempered by the difficult economic climate and relative immaturity of appropriate security products, services, skills and knowledge.