IT security becomes a boardroom issue in SA

The issue of South African corporate IT security has become a boardroom discussion, due in part to regulatory and statutory requirements and policy frameworks, and the high profile security breaches seen in 2003 and 2004, according to BMI-TechKnowledge Group.

The issue of security coupled with business continuity, the research house says, relates to the overarching corporate risk-mitigation strategy, and notes that this top-down approach will help permeate security awareness into all corners of the organization. The growing complexity of IT systems continues to produce confusion and the current “world-under-attack” backdrop generates corporate concern, BMI-T adds, with both issues creating an active market for information security products and services.

BMI-T says that, overall, the local IT security market grew by approximately 16 per cent in 2003, and is worth R1.082 billion (US$168 million). This level of growth, it says, is expected to continue throughout the forecast period, and all segments, hardware, software, and services, will lead growth uniformly, as enterprises seek to improve their infrastructures to manage organizational risk more effectively.

The company adds that security software accounts for the largest portion of the total IT security market, while security hardware/appliances bring in the smallest revenue amount at nearly 17 per cent. Security services are expected to grow over the forecast period, increasing the revenue percentage contribution to the market as a whole. Software revenues will also continue to grow, but at a lower rate than previously. Hardware, BMI-T says, is expected to be the favored delivery method for security solutions. It notes that take-up in SA will be largely dependent on how these appliances are priced.

BMI-T says service providers remain highly fragmented: despite market consolidation and attrition among the boutique players, smaller information security companies continue to emerge. Future consolidation among the large service providers is expected to continue, and the overall IT services market will experience further merger and acquisition in this highly competitive environment, the company adds.

BMI-T says the following drivers and trends have contributed to this continued growth in the market:

— Increased e-commerce and Internet use: Increased Internet use is changing the character and source of security issues that organizations face. Internal threats are growing in significance, and external attacks are becoming more sophisticated, malevolent and are attracting media coverage.

— Increasing Internet fraud: even in countries where Internet and security infrastructure are considered more robust, they will still not be spared from cyber terrorism. ‘Phishing’ has become a major threat to anyone who has used the Internet to conduct any financial transactions.

— Previous malicious attacks: companies tend to invest in security once they have experienced a security breach.

— Mobile computing and wireless trends: mobile computing drives the demand for security services. With a growing number of devices being connected in the mobile environment, traditional perimeters, such as gateway firewalls and typical protection zones are lowered or removed, increasing the likelihood of security breaches.

— Regulations and legislation: as the influence of initiatives such as the King II report on corporate governance, the Electronic Commerce and Transaction Act and Basel II grow, the legal requirements surrounding information security and privacy will be an important decision criterion for local organizations. Overall, BMI-T believes that the effect on spending will be positive, and initially, services players that offer audit, assessment and compliance-related services will benefit.

Consequences of noncompliance, it says, can have a major effect on company brand image, and on individuals within the management structure. The company adds that compliance becomes a clear reason to spend and it is likely that a considerable proportion of the spend on compliance-related issues will be internally focused on training and education. It notes that compliance testing, audit, and risk assessment will also be important.

Factors inhibiting the market, according to the research house include:

— Justification of ROI;

— Lack of market understanding of the extensive diversity of security technologies;

— The lengthening of the sales cycle and the increasing complexity of the buying decision are moderately slowing spending;

— Fear of the “new” and there is a tendency for organizations to “make do” with existing security arrangements.