When it comes to tackling security, governance and compliance in 2004, Australian organizations are likely to take the same approach they have taken for the last few years, that is, continuing to “spend as little as they can get away with.”
While there are plenty of issues in all three areas that need to be addressed and should be at the forefront of the IT agenda in the new year, Meta Group Inc. senior analyst for security and risk strategies Michael Warrilow said end users continue to bury their heads in the sand.
Spending, he said, won’t peak until 2007/08 although organizations are committing more funds to security which currently accounts for an estimated five per cent of the IT budget.
But despite all the talk about reputational ruin when it comes to good corporate governance, Warrilow said there will be little change in 2004.
“It will continue to be thrown in the too-hard basket because governance is ultimately about changing behaviour and that comes down to people which is always the hardest part; technology is easy in comparison,” he said.
More than half of the IT security budget is currently being spent on staffing while 30 per cent is allocated to products and technology. Meta research shows there is a relatively even split in product spending between the network (29 per cent), server (29 per cent), client (23 per cent) and application side (18 per cent). In 2004, spending will focus on antivirus for e-mail, firewalls, antivirus for the Web and network intrusion detection respectively.
By 2005 Warrilow expects security spending to be more strategic as organizations move away from ‘fire fighting’ and begin more high-level projects such as data classification.
While only 17 per cent is being spent on external service providers, Warrilow said the outsourcing of security services will continue to increase with the Asia-Pacific region identified as one of the largest markets for growth.
Admitting that hosted security services are still in the early adopter phase, the technical director for managed security provider Zento, Sheldon Walters, said uptake has been strong among small to medium enterprises.
Walters said the market is being driven by the need to find and retain staff with security skills and budget constraints on capital investment.
When it comes to hosted security services, he said some processes such as patch management and configuration change were fairly mature, but areas such as incident response needs further development.
“Traditional ROI measures are hard to apply to outsourced security, where much of the value lies in intangibles,” Walters said.
“The key is often not whether a company can run its security more cost-effectively as a result of outsourcing, but whether it manages its IT security more effectively.
“Therefore, the real benefit is peace of mind knowing security is being looked after by professionals.”
So what is hot in 2004? Walters said organizations that comply with security best practice and adhere to current standards can reach agreements with insurers to reduce premiums for their business interruption insurance.
Compliance in 2004 will vary by industry with the finance industry continuing to get their house in order with Basel II and the Sarbanes-Oxley Act.
Meta’s Warrilow said these compliance issues come down to “good old fashioned hard work.”
He also warned users to be “wary of all these U.S. vendors treating compliance as their next cash cow.”
One compliance issue that is dominating the corporate IT agenda is electronic record keeping and e-mail management. Digital taking over from the written letter as the preferred form of communication accounts for more than 90 per cent of information held in most organizations.
There are a host of regulations driving compliance in this area including the Archives Act and the Evidence Act. In terms of cyber investigation e-mail is the new DNA.
While organizations will be beavering away in 2004 ensuring they are compliant it does not immediately equate to good corporate governance.
By complying with legislation, Legato Software vice-president Stephen Lloyd-Jones said many organizations assume they are applying good governance.
“So common has this error become that it is creating what might well prove to be a fatal flaw for many Australian organizations; we think simply meeting compliance is enough,” he said.
Good governance is about cultural change that goes beyond ticking off a few boxes and means educating an entire organization at all levels.