Sergey Nivens - Fotolia
This shows a shift away from identity and access management (IAM), which was the top area of investment for firms in the UK and Europe in 2015, to focus more directly on data protection.
The top prioritisation of data loss prevention by 38% of UK firms is also in contrast with the consolidated European survey results, where identity and access management continues to be a top priority alongside network-based security by 29% of companies polled.
For UK firms, IAM has dropped down to sixth position in security spending priorities, below single sign on (35%), mobile endpoint security (34%) and user security training (33%).
Encryption is level-pegging with IAM as a priority for 32% of UK firms, while across the whole of Europe, encryption is in joint second position with user training (27%), only slightly ahead of data loss prevention and single sign on (25%).
In the wake of the Snowden revelations about mass internet data surveillance by the US and its allies, encryption has become seen as an important part of organisations’ and individuals’ privacy protection strategies.
Meeting GDPR requirements
Overall, the poll of more than 1,000 European respondents, including 194 from the UK, shows increased emphasis on data protection throughout Europe. This could be in anticipation of stricter rules in the General Data Protection Regulation (GDPR) that is expected to come into force in 2018.
The continued emphasis on IAM shows that most companies see these technologies as being key to increasing control of data and improving their governance, risk and compliance capabilities. It also appears that companies consider encryption an important part of their data protection strategy.
“If done properly by embedding it in enterprise processes and policies, IAM could help dramatically in meeting GDPR requirements,” said Matthias Reinwarth, senior analyst at KuppingerCole.
Organisations in the UK and Europe have tended to hold back on investing in user security training area in the past. However, the relatively large number of organisations planning to invest in it shows they are finally maturing to heed the long-standing recognition in the security industry of the importance of users in improving security levels.
Another sign of maturity in both the technology and attitudes to information security, single sign on technologies are high priorities in Europe (25%) and the UK (35%) as organisations seek to make it easier for users to access data assets securely.
Single sign on systems typically mean that, while users only need to remember a single complex password that can be augmented with second factor authentication, passwords for individual systems can be far stronger than in the past because users do not have to remember them.
It is interesting to see the investment in the more traditional network-based security continues to be high in Europe (29%) and UK (29%). This is despite the information security industry’s admission that traditional approaches are no longer delivering high levels of protection and the general trend of new technologies to be more data-centric than network-based.
However, the continued investment in network-based security could be linked to the increased emphasis on network visibility as the foundation of a multitude of information security capabilities.
Surprisingly, investment in application-based security tools is set to be low. Investment in this area is planned by only 9% of European firms, down from 11% in 2015, and 7% of UK firms, down from 9%. This is despite the continuing trend of attackers to move up the stack from the network to the application layer.
The recognition that the value of traditional security products is decreasing is perhaps reflected in the investment across Europe in next-generation firewalls (22%). This is also the case for investments in emerging technologies for vulnerability management (22%), threat detection (20%) – up from 11% in 2015 – and security data analysis (19%), with similar levels of investment in the UK.
BYOD and cloud
Unsurprisingly, mobile endpoint security is a priority for many UK (34%) and European (24%) organisations. This is in line with planned investments in corporate mobile devices by almost 40% of organisations in the UK and across Europe.
Some 37% of UK organisations and 30% of organisations across Europe also plan to implement a mobile or tablet bring your own device (BYOD) programme.
Similarly, 22% of European and 27% of UK organisations plan to invest in cloud security in 2016, as the number of companies switching to various cloud-based services continuing to grow. Some 23% of European companies and 29% of UK firms plan to invest in hybrid cloud and management infrastructure in the coming year.
While investment in threat intelligence continues to be relatively low in Europe (15%) and the UK (14%), this is up from 12% and 9% respectively in 2015, with no significant levels of investment in this area at all in 2014.
Although forensic capabilities emerged as an area of investment in 2015 for the first time – with 10% of European firms and 11% of UK firms indicating initiatives in this field – it not seeing much growth, with the number of organisations investing in this area remaining static at 11%.
Security relating to the internet of things (IoT) has emerged as a new area of security investment in 2016. However, this is still a relatively low priority despite the hype around the topic, with only 11% of organisations across the UK and the rest of Europe planning any projects in this area.
Read more about security spending
- Spending on security is still not at a level that matches the changing threat landscape, says IISP.
- Identifying the top security priorities for the organization can help alleviate the budgetary stress.
- In an age of heightened cyber security risks, companies still aren’t spending enough to create a network security overview.
- Security budgets might have risen for some users but there are doubts that it is being used to target the latest threats, which continue to rise.