Top IT Security Investments for 2013Mobility, Authentication, Encryption Are Experts' Picks
If 2012 is the year of mobility - as remote computing drives organizations to figure out how to let employees gain access to critical systems from anywhere - 2013 is likely to be a repeat.
As 2013 budgets take shape, the editors of Information Security Media Group websites asked their boards of advisers - leading information security practitioners, regulators, academics and thought-leaders - what they see as the technologies they expect organizations to invest in in the coming year. Nearly all of the experts mention mobility.
Besides mobility, other technologies individual advisers see organizations acquiring in 2013 include authentication, encryption and monitoring wares.
"Mobile security seems to be top of the list," says Adam Greene, an attorney who specializes in HIPAA and HITECH Act compliance and member of the HealthcareInfoSecurity board. "As we move towards greater adoption of EHRs (electronic health records), inappropriate employee access to records continues to be a thorn in the side," Greene says.
Another HealthcareInfoSecurity adviser, IT security consultant Tom Walsh, agrees, noting the trend of moving away from organizationally owned to personally owned devices, referred to as bring your own device, or BYOD. "Realistically managing workers' expectations while establishing appropriate safeguards and controls to reduce risks is the challenge facing almost every organization," he says.
Mobility also will drive investments in multifactor authentication not dependent on cryptography, says GovInfoSecurity and InfoRiskToday adviser Melissa Hathaway, who served as a top cybersecurity adviser to Presidents Obama and Bush.
"Adoption and use of mobility for both corporate and personal use will make the importance of access management to the enterprise all the more important," she says. "How will the CIO and CISO identify and authenticate devices, users, services and data sources for all transactions? What will be the corporate policy for 'wipe' of lost devices? So, we will need to have multiple forms of authentication that are not necessarily dependent on a key to authenticate a user to a device, to the service, to the data."
Other factors drive enterprises to buy mobility tools besides BYOD, including mobile payments, mobile identification and the impact on migrating to the EMV (European Mastercard Visa) magnetic strip on credit and debit cards, says BankInfoSecurity adviser Chuck Somers, vice president for ATM security and systems at ATM manufacturer Diebold.
Chris Buse, an adviser to GovInfoSecurity and InfoRiskToday, says Minnesota state government - where he serves as chief information security officer - will be looking toward purchasing mobile device management tools. "We need more features and functionality than we currently deliver through active sync and our Office365 cloud-based messaging infrastructure," he says.
Beyond mobility, BankInfoSecurity adviser Julie McNelley, research director for the advisory firm Aite Group's retail banking practice, identifies behavioral analytics as a technology financial institutions might invest in. "Behavioral analytics is a big area of spending we're seeing, both to ward off the threats as well as to comply with the FFIEC (Federal Financial Institutions Examination Council) guidance," she says.
Gartner analyst Avivah Litan, a BankInfoSecurity adviser, sees organizations beginning to show interest in cyberthreat intelligence.
Purdue University computer science professor Gene Spafford, a CareersInfoSecurity board member, sees technologies surrounding adoption of cloud computing as being of interest to IT security technology buyers. Enterprises, he says, must know "what the real risks are, both short-term and long-term, and accommodate them accordingly."
Organizations will need to make sure the technology they acquire is compatible with Internet Protocol 6, known to some as the new Internet, or IPv6, which is architected to be safer than IPv4. "Most organizations are buying and embedding IPv6 enabled devices but running an IPv4 security structure," Hathaway says. "This allows for multiple channels - more than 20 - to run traffic undetected. Their biggest challenge will be how fast can they detect, discover, diagnose and mitigate malicious behavior across the enterprise."
Some organizations, strapped for cash, will need to be innovative in spending their limited money on IT security technology. "While we are still restricted by the deep budget cuts in local government, we are looking for solutions that address our network monitoring needs in ways that can be consolidated and correlated with other controls in order to reduce the resource load, including human, systems and financial," says GovInfoSecurity adviser David Matthews, deputy CISO for Seattle city government. "We are also very interested in community-based solutions that leverage information and resource sharing."