But report author Daniel Kennedy warns that while security budgets and teams are growing – driven by “a near-constant drumbeat of breaches alongside ever-tightening regulation” – the security function “is still small, stuck in IT, and writing policies that half of the time are not being followed”.
The survey confirms that nearly half the 207 security managers interviewed think their information security policy is ineffective.
The study also finds that potentially box-ticking compliance is driving cyber security project priorities. “A whopping 38 percent of interviewed security managers noted that most project selection and approval was predicated on 'compliance deciding', more than double any other method of project selection,” Kennedy said. He calls this “an outsized role for compliance in security".
The two big technology trends this year will be mobile security and security information gathering – with 46 per cent of enterprises planning to spend more on mobile device management (MDM), the same number spending more on SIEM, while 40 per cent and 37 per cent are increasing their spend on identity management and event log management systems respectively.
Mobile device management – driven by the Bring Your Own Device (BYOD) trend - is the top source of pain at 18 per cent of large enterprises. But MDM adoption is rising rapidly, from 46 per cent of organisations using it last year to 59 per cent this year.
On staffing levels, 451 Research says that while numbers are growing, “the 2014 security team is still fairly small in most enterprises and perhaps too under-staffed to do all the projects it is being asked to do”.
Commenting on these findings, Amanda Finch, general manager of the UK-based Institute of Information Security Professionals (IISP), believes that security staffing is the most critical success factor.
“The whole information security landscape is getting more complicated, so organisations are likely to need more people to cover the increasing number of different disciplines involved,” she told SCMagazineUK.com.
Finch added: “You need to understand your organisation and what you should be protecting, and what you should be protecting in-house and out of house. Having worked in this space for a long time, it doesn't get any easier. These are the latest round of challenges that we have to face but in essence it all has to go back to risk management.”
Meanwhile, Daniel Kennedy said that the “pronounced role of compliance” in security projects could be good or bad.
“Compliance-deciding can actually take a number of forms - some effective, and some less so,” he said. “For example, security managers tying what they believe should be done to a compliance requirement, and thus use it to secure funding, might be an effective use of compliance's increased power.
“Perhaps worse is compliance overstepping its mandate by not only interpreting regulatory requirements into project requirements but also trying to specify the exact technical and process implementations as well.”
Steve Durbin, global vice president of the Information Security Forum (ISF), is concerned at this dominant role of compliance.
He told SCMagazineUK.com via email: “I am on the record as not being a fan of compliance driving security programmes or security spend, very simply because it drives an audit mentality that often focuses on getting the right tick-in-the-box as opposed to taking a more business-based, holistic perspective on what is required in order to operate effectively in cyberspace.
“Furthermore, compliance, like regulation, lags behind and rarely has the ability to be forward looking – to be safe in cyber space we need to plan for the unexpected. A compliance-based approach does not lend itself easily to doing so. That being said, compliance is a very necessary evil in many sectors.”
Durbin believes that the rise in security spending is due to “extremely high-profile cases such as denial of service attacks on the banks last year and the more recent fallout from Target amongst others” as well as the ‘Snowden effect'.
But he said: “It is worth bearing in mind that security departments in general are still in catch-up mode after significant periods of under-investment and cost control. So whilst this is welcome, for me it is very much more about aligning the needs of security with the business and ensuring that business projects have security factored in to them from the beginning rather than having it added later on.”
* The Information Security Study is based on interviews with 207 information security professionals conducted between April and October 2013. A webinar on ‘The State of Enterprise Security in 2014, results from 451 Research's 16th annual end user security study' will be held on 19 March. Register via https://www1.gotomeeting.com/register/578226960.