IT budgets will not increase despite a predicted growth in the number of attacks in 2009.
John Colley, managing director for EMEA of information security education at (ISC)2, claimed that there will also be more consolidation in the security field and instead of multiple boxes each carrying out a single function, functions will be consolidated into single boxes.
Colley claimed that budget pressures will make this more urgent, as the credit crunch is reflected in security budgets. He said: “Accountability for information security will be distributed across all departments, including IT, legal, HR, business lines, risk management, compliance and the rising dedicated information security department.
“While we will continue to see the operational side of security being part of business as usual for the IT department, it will be interesting to see what impact the high profile data breaches over the last year will have for managed security service agreements in 2009.”
He further claimed that there should be more concentration on ‘the basics of good information security policy and practice and not forget about the human factor in favour of the latest wizzy technology or security magic bullet'.
A good awareness among employees that goes beyond telling people about company policy, but motivates them to become responsible for their own benefit should also be instilled, he said.
“Part of the first point but worth identifying as a separate issue, is making sure that security is a key part of the software and application development life cycle. Given the security infrastructure that is in place on networks today, they are increasingly exploiting the software that users access rather than the operating systems or networks to gain a route into the organisation.
”At present we have a situation where executives are aware of the need to support good information security, budgets have been increasing over the years, yet breaches appear to multiply, many of them the result of poorly implemented policies rather than highly sophisticated attacks. Information security is not rocket science, it's mainly common sense. The problem, of course, with common sense is that it is not that common.”