With the IT Trends & Analysis holiday break starting next week (December 23-January 3), I’m clearing out my mailbox, and trying to incorporate the various vendor 2014 predictions into this week’s stories, including today’s focus on security. One would expect doom and gloom forecasts from security vendors – and IT industry analysts – and you won’t be disappointed. Looks like CISOs can expect the Grinch for the holidays… and the foreseeable future.
Recent publicity about cyberattacks and data security breaches has increased IT risk awareness among CIOs, chief information security officers (CISOs) and senior business executives. However, Gartner’s 2013 Global Risk Management Survey found that fear of attack is causing security professionals to shift focus away from disciplines such as enterprise risk management and risk-based information security to technical security. This shift in focus is driven by what Gartner analysts refer to as fear, uncertainty and doubt (FUD), which often leads to reactionary and highly emotional decision making.
“While the shift to strengthening technical security controls is not surprising given the hype around cyberattacks and data security breaches, strong risk-based disciplines such as enterprise risk management or risk-based information security are rooted in proactive, data-driven decision making,” said John A. Wheeler, research director at Gartner. “These disciplines focus squarely on the uncertainty (as in, risk) as well as the methods or controls to reduce it. By doing so, the associated fear and doubt are subsequently eliminated.”
The IT security market will grow at a CAGR of 9.29% over the 2012-2016 period, more than double the 4% increase overall IT budgets will see in 2014. In addition to Cisco, the key vendors include EMC, Fortinet, Hewlett-Packard, Juniper Networks, McAfee, Palo Alto Networks, Symantec, and Trend Micro.
Despite being busy spying itself, the US government’s security budget is expected to be $6.1 billion next year. That’s up from last year’s $5.9 billion, and a lot less than the $7.3 billion projected for 2017. Contrast that with the U.S. intelligence budget for FY13, which was set at $52.3 billion, with an additional $400 million in spending across other government agencies, which require some level of interaction of data sharing with the intelligence community.
However, earlier this month IDC’s 2014 predictions included two items highlighting why security’s future looks so dismal, including 70% of CIOs will increase enterprise exposure to risk to accelerate business agility through increased cloud adoption. Unfortunately for that increased risk exposure, by 2015, 60% of CIO security budgets for increasingly vulnerable legacy systems will be 30-40% too small to fund enterprise threat assessments.
Next year will see plenty of opportunities for big data security analytics to enter the enterprise security mainstream, according to a new blog from Jon Oltsik, Senior Principal Analyst, Enterprise Strategy Group. Key drivers include: continuing problems with incident detection and response; Moore’s law and open source; and tons of activity on the supply side, from the usual suspects like HP, IBM, McAfee, and RSA Security, and newcomers like 21CT, ISC8, Hexis Cyber Solutions, Leidos, Narus, and Palantir.
In its 2014 security predictions report Trend Micro stated that one major data breach will occur every month next year, and advanced mobile banking and targeted attacks will accelerate. “We see the sophistication of threats expanding at a rapid pace, which will impact individuals, businesses and governments alike,” said Raimund Genes, CTO, Trend Micro. “We will also see the evolution of the IoE, which serves as a prelude to the surge in technological advancements as the decade closes.”
Last week RSA, the security division of EMC, released the latest Security for Business Innovation Council (SBIC) report, with five recommendations to overhaul outdated-information security processes. The recommendations are: Shift Focus from Technical Assets to Critical Business Processes; Institute Business Estimates of Cybersecurity Risks; Establish Business-centric Risk Assessments; Set a Course for Evidence-based Controls Assurance; and Develop Informed Data Collection Techniques.
“For the enterprise to successfully innovate in today’s digital world, security teams must re-evaluate cyber risk management efforts, steering away from reactive, perimeter-based approaches that are inflexible and focus instead on proactive collaboration with the business,” said Art Coviello, Executive Vice President, EMC, Executive Chairman, RSA. “Updated processes as described by the Council can help organizations achieve a greater visibility of risk that can be harnessed to benefit the business.”
While security pros (and vendors) grapple with new and emerging threats, old standbys like SQL injection attacks continue to work their evil ways. According to Trustwave’s “2013 Global Security Report,” SQL injections accounted for 26% of the infiltration methods used by hackers in the data breaches it analyzed in 2012.
Attacks rose 32% during the third quarter compared to second. Third quarter cross-site scripting (XSS) and SQL Injection activity are up 32% on the second quarter of this year, as hackers specifically target web-facing and cloud applications that carry sensitive data about businesses and their consumers.
“The largest attacks to date have been SQL injection,” said Brett Helm, Chairman and CEO, DB Networks, in a recent interview. SQL injection is a technique in which the attacker uses a vulnerability in the code to send malicious SQL statements to a database.
“One of the significant reasons that SQL injection is still a problem after 10 years is because current solutions on the perimeter do not stop it.” The company, which focuses on behavioral analysis in database security, introduced the IDS-6300 intelligent security appliance, what it called the industry’s first next-generation Core Intrusion Detection System (IDS).