Zeus Kerravala is Founder and Principal Analyst with ZK Research. Kerravala provides research and advice to end user IT and network managers, vendors of IT hardware, software and services and the financial community looking to invest in the companies that he covers. Follow Zeus on Twitter: @zkerravala.
OPAQ: How will IT security budgets change over the next 12 months, and how will IT directors prioritize spending?
ZK: Security is a top driver for IT spend, and it’s the number-one driver for network spend. I think that we will see 8-10 percent growth this year over last year, which is three times the overall IT spend growth. This trend has been going on for the last five years or so, partly because with social media, any kind of perceived breach gets magnified so fast. It can cause public embarrassment, or as with Target, the company had to bribe customers to come back with incentives. Some companies have had to change their business models, while others like Sony had lots of employees leave the company after the breach. If you talk to a CEO or CFO, they usually don’t care about what servers and cloud platforms are in use, but they do care that there is a security strategy because it’s something that shareholders and customers are asking about.
I see a shift in security spending. Today about 90% of spend is still focused on the perimeter but only 27% breaches occur there. We’ll see more focus on protecting users, apps, internal networks. It takes a lot of work to get through a state-of-the-art firewall. It’s much easier to launch malware by a user clicking on a link.
OPAQ: Which cyber security threats seem to be foiling enterprises today and the vendors who serve them?
ZK: The greatest challenge today is malware through encrypted traffic, because traditional security tools can’t see it. If I can embed malware in corporate email it bypasses security systems. Ransomware is another big problem, caused by users clicking on links that they shouldn’t. We are also seeing more corporate fraud where someone will mimic a CEO’s message. They do this by studying language from emails and LinkedIn profiles. This happened to a tech vendor in Silicon Valley where an email went from someone posing as the CEO to the finance division and the company cut a check for over $45 million to a fake supplier. The whole nature of threats has changed: they are very sophisticated and targeted.
OPAQ: Do you think security priorities would be different if there was no compliance pressure?
ZK: I don’t think it would be less important, but sometimes compliance can create a false sense of security. Let’s say that a company has a policy in which employees must change their passwords every quarter, but how many people can have 13 passwords that they memorize? I spoke with one employee at a company with a policy like this and he just made passwords with the seasons of the year which he changed periodically. Companies should do the work to understand whether requirements are making the company more secure or not. For instance, one well-scripted password might be better than having people change their passwords every month.
OPAQ: What are some basic principles of security that perhaps companies overlook when making their plans and strategies?
ZK: The first one is that more isn’t better. My research shows that companies have around 32 different security vendors. If you have a bunch of tools and they all are on their own island, that’s complex and overwhelming. If you make a change in one system, you don’t know what other changes you need to make elsewhere. Then you can’t be effective.
You’re only as secure as your weakest link. You could be spending a lot of money protecting the perimeter, but if you have an insecure wireless LAN, what good is that? I advise companies to think about security more architecturally. Take a step back and realize what systems you have in place instead of piling on more technology.
Organizations need to think about having strong network visibility. This is about anomaly detection, which is a means to identify breaches that might be hard to find otherwise. A company with a connected soda machine that is suddenly trying to access the accounting server is probably not a good thing. The network sees all traffic and devices, and can pick up patterns veering from normal which could indicate a breach.