Securing your business--what to invest in

The credit crunch and recession have put a squeeze on most IT budgets but one area that remains a priority is security.

Embarrassing data breaches and compliance pressures mean IT security is taking an ever-increasing slice of the overall IT budget pie. According to analyst Forrester, enterprise IT security jumped from 7.2 per cent of tech budgets in 2007 to 12.6 per cent in 2009.

But aside from the usual day-to-day operational IT security, what kind of strategy and investment do organizations need to put in place to secure themselves in the face of a changing landscape of security threats and new technologies?

The first place to start is for businesses to look at exactly what assets they have deployed, who is using them and for what business purpose.

Tony Lock, programm director at analyst Freeform Dynamics, said: "Without this information and without keeping this information up to date, because it changes rapidly, it's very hard for the organization to understand what security policies [an organization] actually needs to have in place and against which threats it needs to protect itself. Only then can you begin to put in place an IT security strategy."

Beware the breach
Data breaches have undoubtedly focused minds within many public and private sector organizations on technologies such as encryption and Web security.

But, although security is often stated as a top priority by most businesses, it can take a serious breach to get the backing of the entire organization to address those security issues.

Adrian Seccombe, chief information security officer and senior enterprise information architect at pharmaceutical giant Eli Lilly, and board member of security body The Jericho Forum, says: "Those organizations which have not had a breach yet will find it quite difficult to get the amount of political will and energy they'll need to actually make sure that privacy awareness is more than just skin deep in their organization. It needs to be built into the muscle."

Insider threats
One of the most effective ways to tackle this is not technology but training. Staff--either deliberately or inadvertently--are still one of the main causes of data security breaches.

"I'm seeing a lot of companies putting in place security-awareness programs," said Fran Howarth, principal analyst at research firm Quocirca.

Eli Lilly has had such a program in place since its own breach in 2001, when the e-mail addresses of subscribers to the company's Prozac.com Web site were accidentally exposed by an employee e-mail.

"It's all about people. It's all about awareness. It's all about processes--and the technology aspects are only a very small piece of it," says Eli Lilly's Seccombe. "So we've had in place for a good long while now a privacy-awareness program that's been engaging and communicating the importance of maintaining privacy. If you've got a workforce that understands [security], you've got a chance of being able to deliver it."

Encrypt it
Organizations are also employing widespread encryption technology to secure corporate data. One example is Barclays, which is rolling out enterprise-wide encryption and installing key management servers at its data centers worldwide.

But many other companies are still failing to adequately protect and secure data, with 70 percent of organizations suffering a security breach admitting the lost data was not encrypted, according to a recent survey by data center networking vendor Brocade. A recent survey by ZDNet Asia's sister site Silicon.com revealed only a third of respondents use encryption to safeguard data on laptops.

Open for business
The changing nature of organizations is also presenting a major security challenge as companies tear down their traditional perimeters to enable a more collaborative relationship with partners, suppliers and even customers.

"The impact on me is: how do we change the way we think about securing ourselves in a world which is much more open and connected than the one which is previously hiding behind our own brick walls?" asked Eli Lilly's Seccombe. "For us it's about, how do we make ourselves ready for being connected to many more organizations? That driver is coming from the top of our organization, from the CEO who is demanding that we shift at a speed that is fundamentally quite scary."

The cloud
This kind of open and collaborative organizational structure raises all sorts of challenges around identity and access management, which are also closely linked to the emerging phenomenon of 'cloud computing' which has seen more and more software and services hosted online.

Freeform Dynamics' Lock says: "What's happening now is people are trying to standardize on one or two [ID systems] to allow, essentially, single sign-on and single authentication for people."

At Eli Lilly the focus is on federated identity and how the company can build an open identity and access model. "The place where we're focusing a fair amount of initiative and energy and resources is in that domain of identity, authentication and access management because we are starting to realize that unless we can actually extend identity outwards beyond our own frame, as it were, we're not going to be able to achieve the collaboration we want," says Seccombe.

Where's my data?
Another security headache posed by the cloud is that of data protection, transit and storage because of the difficulty organizations will have knowing exactly where their data is and what legislation it is governed by. In fact these security fears are the main reason companies are refusing to be swept up by the IT industry hype around cloud computing, according to Lock.

"The cloud and the idea that it's everywhere and nowhere just doesn't work when it comes to data because there are so many different data protection and data transit issues. It's got lots of legal ramifications; it's got lots of operational ramifications. Cloud is too woolly a term for people to even begin to contemplate using it in this context," he said.

Compliance and legislation more generally are also driving data security initiatives, with the specter of security breach and disclosure legislation looming for Europe.

Quocirca's Howarth said: "People are really having to put in more information governance structures for those. It's going to cost more and more. There's going to be more regulations and they are going to be more prescriptive."

Ultimately, however, good IT security strategy still comes back to people more than technology.

Lock says: "Too many organizations end up treating security as being a technology issue. It isn't. Security is all about people and how they operate. Frankly the technology side of that is small."

Andy McCue of Silicon.com reported from London.