Disruptive Technologies Mean IT Security Here to Stay, Gartner Says

Spending on security issues as a portion of overall costs for information technology (IT) is leveling off in many enterprises after steady increases for several years, according to Gartner Inc.

Yet new challenges created by the continuing flow of new technologies in coming years are certain to keep security threats on the list of IT leaders' major concerns, the head of Gartner's security research team said yesterday.

"Each wave of technology obliterates the security architecture appropriate for its predecessor," Victor S. Wheatman, Gartner managing vice president, said yesterday at the opening of Gartner's 11th annual IT Security Summit. The conference, at the Marriott Wardman Park Hotel, runs through Wednesday.

"Enterprises will often rely on outside support, such as consultants and outsourcers, at the onset of any change," Mr. Wheatman said. "Security funding will shift from traditional solution purchaser to a broader, better-defined risk management process involving investment in three objectives: keeping the bad guys out, letting the good guys in, and keeping the wheels on (maintaining operations)."

In the past 20 years, for example, security challenges have arisen in mainframe computing, personal computers, networked PCs, distributed applications running across local area networks followed by external networks, wireless networking devices and Web services.

"Disruptive innovation means the need for information security is here to stay," he said. During the next few years, some major new IT security threats will include phishing, attacks on wireless and mobile devices, spyware, and vulnerabilities in operating systems and voice-over-Internet protocol.

Wheatman advised the audience of IT decision-makers from business, government and non-profit organizations to follow these steps in analyzing emerging or unforeseen security threats when new technologies are brought into their organizations:

• Apply risk assessment to each new business process to determine the appropriate defensive action
• Evaluate the changing threat landscape in the context of your defensive requirements. As threats mature, so do defenses.
• Focus on your business needs and threat assessment to set priorities for security requirements. Investing in an over-hyped technology too early can result in a complete waste of enterprise security funds.

Most organizations are using regulatory pressures, such as those created by Sarbanes-Oxley financial reforms in the U.S. requiring publicly traded companies to document more details, to fund IT security projects and to better integrate IT security with business units.

This is an ideal opportunity for IT leaders to integrate IT security management with broader business or operational issues, Mr. Wheatman said. He added, however, that spending emphasis must be placed on IT security concerns even as processes are created to comply with new standards for financial reporting, audits and other compliance issues.

"Protect customer data first, then document it, not the reverse," he said. "Compliance changes priorities but shouldn't reduce security. Let management know when generating compliance reports starts to interfere with core IT security operations that could hurt business."

Wheatman said many enterprises have placed increasing strategic importance on IT security concerns. This is especially true in highly regulated organizations, in which managing information security is considered a vital element of enterprise governance processes. In these organizations, the chief information security officer often reports outside the IT department to a chief financial officer, chief risk officer or chief compliance officer.