IANS: Geographic Disparity Exists for Information Security Expenditures

BOSTON, MA (September 30, 2008) — Following an intense two-day forum gathering of IT security managers, directors and C-level executives, and 19 security solution providers, IANS predicts that IT security spending will continue to expand through 2009 across most industry sectors, but that certain geographic regions will continue to outpace others in their demand for security technology solutions.

The 8th Annual IANS New England Information Security Forum held September 8-9, 2008 drew close to 200 delegates – all practicing security professionals – from 98 distinct organizations, and 19 security solution providers across 15 product categories to engage in insightful discussions about the tactics, theories and real-life experiences facing organizations throughout the region. This Forum follows closely on the heels of the 5th Annual Lone Star Information Security Forum held in June in Dallas, Texas. Comparing findings from the attending delegates and the assessments made by the IANS Faculty Members from both Forums, IANS continues to see clear differences in information technology needs across geographies in the United States.

According to Jack Philips, co-founder of IANS, “Many of these differences result from organization maturation and market sector demands. For example, a rail company in the southwest – often conservative in nature and typically not early adopters – has very different security concerns than leading financial institutions, academia, or medical research organizations in the Northeast.”

Key Findings
With security threats continually on the rise and resources constrained, there is no shortage of IT security protection. A pragmatic approach to purchase decisions dominates, regardless of region, as IT managers continually seek solutions that reduce complexity, and offer simplification and automation. Compliance remains a hot button for many organizations: it is a time-consuming key priority drawing the attention of senior management. While organizations tackle compliance almost all, across all regions, are concerned with protecting data but are proceeding cautiously with what to do next. The same holds true for virtualization and the related uncertainty about relative security concerns, predictions, and solutions.

Looking at specific security concerns and solutions, disparities arise between the needs of organizations in the Northeast versus those of the Southwest. Generally speaking:

• Data Protection – remains the top priority, as organizations understand the depth of the problem. Most organizations believe that Data Leak Protection solutions only go part way, and few companies have deployed them enterprise-wide. Encryption, which is widely deployed, is the easiest and most common approach to data protection. Port/device control solutions are seen as expensive but good, and only a few IT managers are looking at database security. “In the middle of the country, most organizations are just now considering DLP technology. On the East Coast, most organizations are now asking if they still need it after making an initial purchase,” said Phillips.
• IDS/IPS – is now widely adopted and the key considerations now lie in making sense of the immense amount of data to determine actions. Historic fears about slowing down business operations when running IPS in-line are still common. Many organizations in New England use their IDS/IPS to identify data leakage. One delegate spoke of developing custom signatures to track data that might be leaking to generate alerts. This has replaced the need to purchase DLP. According to Phillips, “The IDS/IPS vendors have added so much functionality that high-performing CISOs, particularly in the Northeast, wonder if they can get away without a DLP expenditure.”
• SIM/SIEM and Log Management – is generating a great opportunity to collect data for compliance purposes. Adoption rates are high in geographies where organizations have high investment in their information assets. Many IT managers in the Southwest admit lack of knowledge about the category and are overwhelmed by and unsure how to use the volume of information these tools generate. There is a great deal of concern about the implementation pain and ongoing support. Conversely, “the sessions held in Boston and New York are essentially SIM/SEM user groups since adoption rates are so high,” noted Phillips
• Identity and Access Management – presents equal challenges to the IT manager as SIM and log management. Most security professionals understand the need – regulation, data leakage, enabling the business – but remain leery of enterprise-wide implementation related to what seems like an enormous new undertaking with integration complexities that will drain human capital and financial assets.
• Configuration & Patch Management – is part of the fabric of most organizations’ IT network already, but draws delegates’ attention when new solution benefits are explained.
• Vulnerability Management – is of ongoing interest with passive scanning gaining the most interest as opposed to active scanning which is seen as taking too much time and impractical. “As with many of the other technologies, financial services, biotech, medical, and insurance companies, and universities up and down the East Coast tend to lead adoption of automating vulnerability scanning, and pursuing the new breed of Unified Threat Managers (UTM) on the market today,” said Phillips.

Unique Forum Structure Supports Open, Honest Discussion of Security Needs and Threats
IANS Information Security Forums are about tactics and theory, real-life experience not academic studies, and allow attendees to learn more about the security issues facing their peers. Forum Delegates gain insights on the best practices and lessons learned directly from peers; stay up to date with emerging technologies and early-stage developments; and network with influential peers and Faculty. These peer-based, CEP-accredited events are designed to provide IT security practitioners an environment where case study methodology is used for innovative, thought-provoking, and insightful discussions. Featured topics at this year’s event included six interactive discussions surrounding the following topics:

• Smartphone – Security Dummy?
• Sophisticated Adversaries and Advanced Malware: What can you do?
• Software or a Rolled-up Newspaper over the Head: How to stop data leakage?
• Execution Control
• Regulatory Distractions
• Are you Cutting-edge? What you read can make a difference

There were 11 practitioner briefings across the following tracks:

• Information-centric protection
• Application and software security
• Incident response and forensics
• Identity & access management
• Network potluck
• Evolution to risk management
• Security leadership

IANS’ exclusive partnership with (ISC)2 allowed 68 holders of the CISSP credential to receive 16 continuing educations hours for the two-day event.

MEDIA: Members of the media interested in receiving the complete summary of findings can contact press@iansresearch.com and provide their full contact information. Once finalized, the full report will be sent via email.