Companies that want to spend less of their IT budget on security and improve its effectiveness must “bake in” security across their operations so it becomes a part of the business process, not an afterthought.
“If you get something baked into a business process, it almost never goes away,” said John Pescatore, vice-president and distinguished analyst with Gartner, who kicked off the Gartner IT Security Summit in Washington, D.C., earlier this month. “It’s not just thinking about security, but having people do it as part of their jobs.”
Pescatore made the analogy of security professionals playing the arcade game Whac-A-Mole, using a big stick to fight off threats as they pop up. Instead, security professionals should fight threats as though they’re playing a game of chess, where no one move can end the game and where skillful players contain their opponents to areas of the board they can control and always are thinking a couple of moves ahead.
Getting to that point, which Pescatore calls Security 3.0, or “skating ahead of the puck,” takes significant changes in the way an entire organization prioritizes security.
Many companies already have increased their spending on security, yet threats continue to come from new and varied places. For example, the “consumerization of IT,” which Gartner defines as employees using their own devices at work, and the rise of wikis, blogs and other Web 2.0 technologies, gives the IT department less control over technology while opening up systems to new threats, Pescatore said.
Nevertheless, the idea isn’t to spend even more on security, he said. In 2006 the average company spent about five per cent of its IT budget on security, not including data recovery. However, there’s little correlation between increased spending and heightened security. Instead, companies should insist that security be present in many different business processes — application design and development, procuring third-party services, making RFPs, and testing and evaluation — so that it doesn’t have to be retrofitted after the fact.
“You have to figure out ways to get [security] protections built in,” Pescatore said. “Then the spending isn’t coming out of the security budget.” This approach offers better security controls, because they’re organic instead of retrofitted, and frees up security spending for more strategic initiatives, he said.
“If [companies] can get to this level of operational excellence, they can get back to spending three per cent to four per cent of their IT budgets on security,” he said. Other priorities for security professionals today include taking advantage of compliance funding to help drive security, Pescatore said. “It’s very important not to just report more about compliance, [but to achieve] more protection of data.”
There is a set of critical security processes that are tactical approaches today but will lay the groundwork for strategic systems going forward, he said. These include network access control, intrusion prevention, identity and access management, vulnerability management, and data security.
Buying the most secure products available so that less money is spent trying to fix things is also key, Pescatore said.