Forrester report says firms spend 21% of security budget on networks

Corporates need to invest in the human firewall - Forrester analyst

Forrester report says firms spend 21% of security budget on networks
Forrester report says firms spend 21% of security budget on networks

A study just published by Forrester Research claims to show that businesses on both sides of the Atlantic invested an average of 21 percent of their IT security budget on network defences last year - with 46 percent of businesses planning to increase this budget allocation during 2014.

The report – Understand The State Of Network Security: 2013 To 2014 - says that businesses are boosting their investments in pro-active control and threat intelligence services, along with better wireless security, next-generation firewalls and increasingly advanced malware detection.

And when it comes it comes to security services, the analysis - which polled 2,000 IT executives and decision-makers across North America and Europe - predicts that firewall management and threat intelligence services see the most demand as we move forward into 2014.

Recommendations

Recommendations from the report - authored by Heidi Shey, Stephanie Balaouras and Kelley Mak of Forrester Research - include organisations continuing to invest in people and not just technology plus services.

A lack of staff and unavailability of security staff with the right skills is a challenge cited by almost half of organisations today according to the report. As firms continue to compete for skilled staff, Forrester says they should continue to invest in skills and career development for their current security team.

Andrew Rose, Forrester's Principal Analyst for Security & Risk in the UK, told SCMagazineUK.com that the report is the latest in an annual series from the company, all of which have noted a trend of extra investments in network security, even during the height of the recession.

"The problem has been that these investments have not been enough to secure the network resources, with predictable results," he said, adding that, whilst it is good to see budgets for IT security on the up - as this report observes - it is clear that many organisations still have legacy security systems in their architecture that are costing them a lot more to maintain than they should.

There are, he explained, lots of legacy systems, but it is also clear that many organisations would be better off on several fronts by investing in a completely new security architecture, rather than patching and maintaining legacy security systems which do not represent good value for money.

"The bottom line here is that corporates need to look at the actual bang-for-the-buck they are receiving from their IT security systems. They also need to remove the old layers of technology and refresh their security," he said.

"Then they also need to invest in what we call the human firewall - which amounts to better security training for staff. More technology on its own does not make for better security - organisations need to invest in training in order to enhance their security," he added.

The pen tester's view

Peter Wood, CEO of First Base Technologies, the pen-testing specialist, said that the Forrester report illustrates that network perimeter security is now quite mature - but we still find plenty of weaknesses inside organisations when we conduct a penetration test.

“Poor levels of staff awareness still leave organisations open to social engineering and advanced attacks - a growing problem, and inadequately secured internal systems are easily exploited by insiders – still the most significant source of attack according to the report,” he explained.

Wood went on to say that organisations need to engage independent experts to test their defences in a much more holistic fashion - simulating the more sophisticated, multi-stage attacks which are now so prevalent.

“Advanced testing should start with background research and social engineering, moving through end point exploitation, to network attacks and data exfiltration. Since this is what the criminals do, we believe it's critical to simulate these attacks and test defences against real-world threats,” he said.

Focus on weaknesses

“Finally, risk-based testing is critical to optimise the use of limited budgets and to focus on the key weaknesses in each sector and each individual organisation,” he added.

Delving into Forrester's report - which forms part of the firm's Forrsight's programme - shows that inadvertent insider breach (36 percent) and malicious insider breach (25 percent) were two of the top five most common ways in which breaches occurred in 2013.

Network firewall monitoring and management/Web application firewalls, meanwhile, were noted as the top two growth categories that organisations would like to have as-a-service in 2014, with 28 percent of organisations stating that they plan on investing in either adoption or expansion in both technologies.

Interestingly, whilst 57 percent of organisations indicated that they prefer to source from one single vendor's portfolio, more than half of firms rated lack of staff as a challenge to achieving security goals, with 48 percent citing unavailability of security employees with the right skills as a major challenge, and lack of security operations skills as the biggest pain point.