Gartner: Security costs fall with good policies

Enterprises increasingly will face skilled IT criminals trying to infiltrate corporate networks for sensitive data stored in databases, but adopting new policies to evaluate risk should help drive the cost of defense down, computer security analysts said Monday.

The attacks could come in a variety of forms -- extortion attempts after data is encrypted and held hostage; the theft of intellectual property -- but all could have "potentially disastrous" effects for unprepared businesses, said Vic Wheatman, managing vice president at Gartner.

"Most businesses aren't attacked, but some are," Wheatman said at Gartner's IT Security Summit. "We believe that cybercrime represents the next wave."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Enterprises increasingly will face skilled IT criminals trying to infiltrate corporate networks for sensitive data stored in databases, but adopting new policies to evaluate risk should help drive the cost of defense down, computer security analysts said Monday.

The attacks could come in a variety of forms -- extortion attempts after data is encrypted and held hostage; the theft of intellectual property -- but all could have "potentially disastrous" effects for unprepared businesses, said Vic Wheatman, managing vice president at Gartner.

"Most businesses aren't attacked, but some are," Wheatman said at Gartner's IT Security Summit. "We believe that cybercrime represents the next wave."

Businesses will need new IT strategies to defend themselves. Enterprises now should spend 4% to 6% of their IT budgets on information security. This figure is equivalent to what organizations allot for casualty insurance, he said. From its latest data, Gartner expects information security budgets to increase 4.5% during the next year.

Many corporations are creating security policies based on government regulations rather than threats, however. The result is policies that meet auditors' requirements but aren't necessarily best for overall security, said Jay Heiser, Gartner research vice president. "We refer to that as 'regulatory distraction,'" Heiser said.

Rather than trying to anticipate a new regulation, it's better for companies to treat regulation as one more factor in an overall risk portfolio, Heiser said. It could take at least five years for an enterprise to form this approach, he said.

Corporations also can rethink how they acquire new security software. Rather than buying a best-of-breed security product, companies can buy the "best of need": one that may not be the top of the market but meets the company's requirements, Wheatman said.

Security products also are increasingly meshing what were separate functions. Wheatman said companies have shown success in negotiations with security vendors in getting, for example, antispyware included with antispam and antivirus software instead of paying extra.

"We do think that over time, organizations can decrease their security budgets as a percentage of the IT budget," Wheatman said.

Gartner released figures last week showing strong growth in computer security software sales. Revenue totaled $7.4 billion in 2005, a 14.8% increase compared with 2004. Antivirus software represented 54.3% of the revenue, at $4 billion.

The IDG News Service is a Network World affiliate.