Information security budgets are increasing with the money going to meet regulatory requirements, keep mobile workforces secure on endpoints and safeguard cloud computing rather than employees and contractors.
On May 12, ransomware WannaCry (aka WannaCrypt, WannaCryptor, and wcrypt) spread rapidly as a computer worm, infecting over 230,000 computers in over 150 countries. The ransomware attack propagated by using vulnerabilities in Microsoft® Windows Server Message Block.
Considering WannaCry and a predecessor worm called CodeRed, we see enterprises continue to fall prey to viruses and ransomware attacks. They remain vulnerable to many forms or vectors of attack, including phishing schemes, which entice users to execute an exploit via email or a Web browser. We also see enterprises increasing the surface levels of attack for hackers by adopting cloud-based IT services and supporting mobile workforces operating outside of traditional network perimeters. Enterprises, however, see user behavior and lack of budget as their top information security pain points, according to 451 Research.
Voice of the Enterprise (VotE): Information Security, Budgets and Outlook 2016 is 451 Research’s second in-depth look at security budgeting, following the 2015 survey. A year-over-year view, with a look at the future, shows security budgets increasing but coming under ﬁre for security breaches and regulatory requirements that shift spending allocations and dictate future direction. In the “Budgets and Outlook 2016,” VotE surveyed 500 information security decision makers worldwide, primarily based in North America and Europe, and supplemented the survey with 20 in-depth phone interviews. The representative sample of small, medium and large organizations in the public and private sectors focused on enterprise information security budgets, spending and cloud security.
Besides increasing security budgets, enterprises are increasing their spending on software- over hardware- based security, using operating expenses for subscriptions rather than capital budgets for infrastructure, and deploying endpoint-based security over network-centric solutions. These changes are due to the increased surface exposure beyond the network perimeter; organizations are increasing their security budgets and changing the focus of their buying to support modern, mobile workforces and new cloud-based computer architectures. This is reducing the money spent on perimeter-based computer hardware, such as firewalls and intrusion detection systems, and changing how organizations consume security software from capital expenditures to operational costs for subscriptions.
From Q2 2015 to Q4 2016, information security budgets continued to increase for most enterprises surveyed: 48% of respondents indicated a planned increase while only 4% planned to lower their spending percentages. But organizations are not spending money on security to simply allay fears of viruses and worms. Spending on security projects is largely driven by perceived risk or risk assessment, calculating the probability and impact of a potential security problem. Risk assessment was the key determinant in approving information security projects in 2016 followed by compliance. More than one-half of the respondents cited industry compliance requirements, such as the Health Insurance Portability and Accountability Act and the Payment Card Industry Data Security Standard as the most important aspect of compliance within the last 90 days of the survey.
Figure 1: Top five security pain points
In 2016, the primary source of security pain driving projects changed from malicious software or malware in Q3 2016 to user behavior in Q4 2016: 28% of 528 respondents are primarily focused on solving security issues for user behavior (see Figure 1). Phishing, which exposes organizations to malware, is a security issue primarily directed at user behavior. The second top concern in Q4 was lack of budget (22%) while the third concern was malicious software or malware (21%). Two concerns that rose to the top in Q4 2016 were endpoint security (21%) and the accurate, timely monitoring of security events (21%).
The 12-month outlook for security budgets is fair and sunny. In the next year, 52% of respondents surveyed anticipate a slight increase in their budgets while 15.6% plan for a signiﬁcant budget increase. Where is the money going? When asked how the organization’s total information-security-related spending will be distributed in two years, the budget percentage allotted to people, including employees and contractors, appears to decrease from 34% in 2016 to a projected 32% in 2018 (see Figure 2). Although the money planned for third-party-supplied software security tools will remain at over 30%, spending on third-party-supplied hardware security tools will decrease while spending on third-party-supplied security services, including managed security services, will increase from 12% to over 15%.
Figure 2: Security spending distribution
Spending for endpoint security rose from 26% of 2015 budgets to 29% in 2016. Although spending for security management, including Security Incident and Event Monitoring (SIEM), dropped approximately 2% from 2015-2016, organizations are planning to spend more in 2018. No doubt they would like a better warning of incoming worms like WannaCry and CodeRed. Like security management, application security spending will drop in 2016 but pick up again in 2018. Network security, which includes ﬁrewalls, Intrusion Detection Systems and antivirus software, continues a steady decline from 2015 at 40% to 35% in 2018.
I reported on law ﬁrms’ increased use of cloud computing in Law Firm Cloud Computing (Forum, Vol 2, Issue 2, 2016), when more than one-half of 79 Am Law 200 firms responded positively when asked whether they used cloud computing in ALM’s “2015 LTN Tech Survey.” The ALM survey indicated that the big challenge for law ﬁrms to shift computing resources to the cloud is allaying security concerns, which was corroborated by an International Legal Technology Association poll of 1,282 members: 14% responded that they had security reservations to move applications and workloads to the cloud.
VotE research on cloud security shows a steady shift toward hosted public cloud continues at the expense of on-premise and hosted private cloud deployments. The percentage of respondents using on-premise private cloud declined from 44% in 2015 to 37% in 2016; hosted private cloud declined from 34% to 30%. On the public hosted cloud architecture and services, the reported use of Infrastructure as a Service (IaaS) among respondents was high, moving from 32% at the end of 2015 to 37% in 2016. For Platform as a Service (PaaS), the shift went from 18% in 2015 to 23.5% in 2016.
The gradual rise in public cloud computing from its economies of scale is not surprising, but it is refreshing to see the erosion of security as an inhibitor to cloud deployments. When 710 respondents were asked in Q4 2015 to categorize the organization’s information security view of hosted cloud computing solutions (hosted private cloud, IaaS, and PaaS) in terms of the organization’s tolerance for information security risk, 30% said the beneﬁts of using a hosted cloud solution provider, as solutions to security, outweigh the risks. In Q4 2016 the number increased to 35% of 414 respondents.
Despite the erosion of security as an inhibitor to cloud deployments, security features remain important to the selection of a cloud service provider: 56.7% of respondents said security was very important to cloud service provider selection; 49.4% believed it very important for cloud providers to meet regulatory and compliance controls. One can easily combine the criteria as security controls must meet regulatory compliance requirements.
Table 1: Security and compliance concerns
The greatest worries regarding cloud service providers are data breach, keeping organizational data confidential and the cloud provider’s auditability. Despite the concerns, only 37% of cloud users are performing vulnerability assessments of their hosted cloud service providers; 55% of users receive the results of vulnerability assessments from the cloud service provider.
Of the security controls to address concerns, encryption remains the most important countermeasure followed by identity management controls, including authorization and access controls (see Table 1). Following the top security controls, the next three are contractual controls with the service provider: liability for breaches; contractual controls around roles and responsibilities of cloud provider and customer; and service level agreements (SLAs). Other security tools followed contractual controls, including data leakage or loss prevention, key management, and data sovereignty (provenance of data location).
Meet the author
Sean La Roque-Doherty is a 451 Research
analyst covering information governance,
compliance and electronic discovery. He is
licensed to practice law in California, the
District of Columbia and New York.