SA firms lag on security spending

South African companies have fallen behind the international IT security spending curve and have to play catch up with the latest efficiencies, says a local expert.

"The notion of spending less and still being more secure assumes that you`ve spent enough already. In SA I don`t think that is true," says Craig Terblanche, business and technology advisor at Marketworks, the local representative for UK research firm Datamonitor.

Terblanche was commenting on a statement issued today by international research firm Gartner, which said enterprises can improve their overall security systems through the combination of multiple market, technology and organisational forces.

Gartner says by 2010, as these elements for increased efficiency continue to evolve, only one in 10 new emerging security threats will require the deployment of a tactical, best-of-breed solution, compared with eight in 10 in 2005.

"Consolidation and convergence of security functions onto security platforms will have the greatest effect in terms of overall cost reduction over time. However, technology is only part of the story. Collectively, the ongoing improvements in process discipline of the IT organisation will be the second largest contributor to spending less and being more secure," the Gartner statement says.

Terblanche agrees that IT security has improved, because of the prevalence of anti-hacking strategies and a formal anti-hacking community.

"However, the one threat that does impact an organisation could be the '911` of security. As security technology advances, the bar is raised and the hacker community, criminal and economic terrorists are likely to rise to the challenge," he says.

Gartner believes the time is ripe for information security threats and technologies to be turned over to the operations side of the IT organisation and that an information security organisation should be focused on new emerging threats and technologies.

"This requires the information security team to `let go` of the more routine, mundane threat protection technologies and focus on what they do best - effectively addressing new threats," says John Pescatore, Gartner VP and analyst.

Neil MacDonald, another Gartner VP and analyst, says that in order for enterprises to get more secure and spend less, they should focus on process, not products.

"Businesses should increase the efficiency of the security programme either by reducing the percentage of revenue that goes toward security spending or increasing the amount of protection from established security spending levels and also increase the effectiveness of the security programme, reducing the number of successful incidents or providing security controls that don`t interfere with business missions," he says.

The Gartner statement says just as business processes are key to the success of a business, defining the security processes is key to securing a business. Four security processes - network access control, intrusion prevention, vulnerability management and ID/access management - and the interfaces between them, are the best approach to improving security effectiveness and efficiency, it says.