Research due to be published in July suggests that most IT executives continue to find security overly complex and difficult to justify from a return on investment (ROI) perspective.
A survey of around 1,000 executives conducted by global consulting company Accenture is due to be published by InfoWorld next month. It found that complexity remains the number one challenge for companies implementing IT security measures, as it has done over the last three years, suggesting that vendors have so far done little to make their solutions simpler or provide better value for money.
Of those questioned, 68 per cent said they did not see the value in security, 53 per cent view it as a necessary evil, 66 per cent did not understand the fundamentals and 48 per cent believed security was being driven by hype and scare stories. A further 24 per cent said they thought security technology was stuck in a rut and did not move fast enough.
Speaking at today’s Chief Information Security Office (CISO) conference in Nice, global managing director for Accenture’s security business, Alastair MacWillson, said too many companies have simply layered one security solution on top of another in enterprise IT environments. And the majority of the measures implemented have not been effectively tied to the business processes they are supposed to protect and improve, despite the fact that they continue to eat up over nine per cent of total UK IT budgets, he added.
“Lots of organisations' buying behaviour is based around the fact that they never know if they will be replacing something old with something new, so they layer stuff on top of other stuff," said MacWillson. "Vendors say this is defence in depth, but this is just taking money out of [buyers'] pockets, layers on complexity and does not help anyone.”
Richard Archdeacon, director of the innovation team for Symantec’s EMEA enterprise segment said that consolidation amongst security vendors would drive a more unified approach to the complexity problem. But he believes CISOs must overcome the ROI issue by aligning ‘baked in’ security tools to support specific business models.
“It is not about justifying ROI, but the need to support that particular bit of technology in the business model. As more companies go into an online world where the risks are obvious, they need to align their security strategy with that process,” he said.
“Things are improving – spam represents over 50 per cent of email, for example, but it is no longer the huge problem it was two years ago.”
Patrick J. Sullivan, Accenture Global Account Director for Sun Microsystems, argued that organisations themselves must take a more pro-active approach to adopting end-to-end security measures that extend from the network layer all the way to the application layer.
“I think it is interesting that 53 per cent see security as a necessary evil – finally, a survey that represents IT execs true feelings – but a lot of responsibility rests on customers' own shoulders,” he said.
“At the moment, security is not organised as an end-to-end approach. It is compartmentalised from one division to another, uses multiple ISVs and home grown software to collect data from multiple feeds.”