Most high-profile information security breaches in the past year have featured some form of credential theft to enable abuse of privileged accounts, and therefore it is not surprising that identity and access management (IAM) is set to move to the fore in 2015.
IAM is to be the top security initiative by UK and European firms in 2015, according to the latest annual TechTarget/Computer Weekly IT Spending Priorities survey, replacing network security in the top spot of European countries in 2014 and mobile endpoint security for UK companies.
According to Forrester Research, investment in IAM has grown from just 7% of the total IT spend in 2012 to 10% in 2014. The TechTarget/Computer Weekly data shows this trend is set to continue.
Across Europe, 33% of 2015's respondents indicated they plan to implement IAM initiatives, while 36% of UK respondents voted for IAM.
Analyst and director at research firm Quocirca, Bob Tarzey, said IAM is key to implementing all IT security.
“An increasing focus on IAM deployments is to extend them to outsiders and broaden the scope of access controls,” he said.
According to Tarzey, this often means interfacing to multiple sources of identity or federating identity management.
“This may well be the reason the UK is making IAM a higher priority than other European countries as UK organisations often take a lead in moving to online interaction with their customers,” he said.
Network-based security still a priority
Although no longer in top spot for Europe, network-based security has moved down only one position and therefore remains a high priority for 32% of respondents.
While this may seem surprising in the light of the push towards more data-centric technologies, it does not necessarily mean European firms are still firmly wedded to a traditional approach to security.
Read more about security spending
HP enterprise security group senior director of products and services marketing Dan Lamorena said although investment is slowing down in traditional network-based technologies, such as firewalls and intrusion prevention systems, companies are increasingly investing in new network-based security technologies.
“These new network-based technologies typically include things like application monitoring systems, next-generation firewalls and sandboxing systems that allow any malicious code that may have slipped through other detection systems to execute without harming the corporate environment,” he said.
Lamorena said that in the face of increased security challenges and limited resources, organisations are turning to catch-all, network-based security technologies such as web application firewalls and runtime application self-protection systems.
“We expect to see a growth in these and similar network-based technologies in the coming months and years,” he said.
Cloud security moves up the priority ranking
Cloud security has moved up from eighth position on the priority ranking in 2014 to fourth position in Europe
Unsurprisingly, data loss prevention (31%) and cloud security (28%) remain among the top priorities for European companies in the light of increased cyber attacks aimed at stealing intellectual property and the growing adoption of cloud technologies to cut costs and improve efficiency.
Cloud security has moved up from eighth position on the priority ranking in 2014 to fourth position in Europe, but virtualisation security has not increased along with cloud security, although it remains consistently high from 2014 at 24%.
Despite the growing emphasis on cloud security in the UK, virtualisation security has also not tracked upwards, with just 13% of respondents indicating planned initiatives in the area compared with 22% in 2014.
Suppliers of virtualisation security products believe enterprises underestimate the importance of dedicated security systems and make the mistake of applying traditional security approaches and systems to virtual environment. But, they argue, these do not meet the unique security demands of virtualised environments.
UK firms more in tune with improved basic security hygiene
UK organisations may have to invest in cloud security in the next two years to catch up with their French and German counterparts
While across Europe the top investment priorities are IAM, data loss prevention and cloud security, the top three in the UK are IAM (36%); encryption (32%), patch and configuration management (32%); and endpoint security (30%). This suggests UK firms are more in tune with current security wisdom that advocates data-centric security and improved basic security hygiene.
Cloud security (23%) ranks in fifth position for UK firms alongside data loss prevention, just ahead of network-based security and mobile endpoint security, which are both level pegging at 21% in sixth position.
The UK is below the cloud security average for Europe of 28%, and lags behind Germany (28%) and France (27%), which are both closer to the average in line with traditionally higher privacy concerns of French and German organisations.
But this means UK organisations may have to invest in cloud security in the next two years to catch up with their French and German counterparts to ensure they are compliant with the proposed new data protection regulations.
Decline in mobile security investment "baffling"
Mobile endpoint security is also still a top priority across Europe at sixth position with 25% of respondents indicating they plan initiatives in this area for 2015.
Media coverage around the increase in mobile threats and mobile malware has generated a lot of interest and demand from enterprises
However, this is down from 31% in 2014 when it was a top priority for UK companies with 40% of respondents indicating investment in this area, compared with just 21% in 2015.
While this trend is surprising, mobile security firm Lookout suggests that perhaps organisations concerned about mobile security are investing more in network-based technologies.
Lookout enterprise products vice-president Aaron Cockerill said figures showing a decline in mobile security investment are "baffling", as the firm is seeing only an increase in interest and demand.
“We have seen an upward trend from mid-2014 since we have been planning the launch of our enterprise product,” he said.
Cockerill said media coverage around the increase in mobile threats and mobile malware targeting the Android and iOS mobile operating systems in recent months has generated a lot of interest and demand from enterprises.
Investment in threat intelligence to increase
2015 will also see the emergence of investment in threat intelligence. On average, 12% of European firms plan investments in this area and 9% of UK firms plan to do the same, whereas threat intelligence did not rank as one of the top areas of security investment in 2014.
The security buying intentions for European companies in 2015 indicate a growing maturity in their approach to security
Threat intelligence systems are becoming increasingly popular as organisations seek to be more proactive in their security capabilities and to shape security strategy and investment based on data drawn from recent attack history.
Similarly, forensic capabilities has also emerged as an area of investment in 2015 for the first time, with 10% of European firms and 11% of UK firms indicating initiatives in this field as organisations seek to build their capability to identify how attackers have breached their security and increase time to recover from breaches by understanding better what the attackers have done and how it was done.
For the same reasons and an increased understanding of how security failures can impact on the business, there is also an increase in investment in disaster recovery and business continuity with 41% of European firms investing in this area, up from 38% in 2014. Investment in backup for virtual servers is also up, increasing by 1% to 36%.
Overall, the security buying intentions for European companies in 2015 indicate a growing maturity in their approach to security that accepts that attackers are likely to breach perimeter defences.
As a result, companies are investing more heavily in detection, mitigation and recovery technologies aimed at reducing the impact of cyber attacks on the business.