Gartner: Asia Security Spending RisingSid Deshpande on Priorities for 2015
Gartner's Sid Deshpande is optimistic about the potential cybersecurity growth that the Asia Pacific region may witness this year.
See Also: The Global State of Online Digital Trust
Alongside crucial lessons the security fraternity has absorbed from past experiences - particularly the high-profile breaches in 2014 - there is hope for enterprises making the right investments in information security solutions, he says.
"The key learning has been that security teams have realized the need for having the right security framework and the right conversations with the board to be on the same page," says Deshpande, Singapore-based principal analyst at Gartner, Asia Pacific.
"Besides implementing the right technologies, creating security awareness among employees in understanding risk factors and building required competencies, combating the worst is of the utmost importance."
In this interview with Information Security Media Group, Deshpande shares insights on the challenges that CISOs face and anticipated positive strides through increased security spending to prevent breaches and mitigate evolving threats. Deshpande also discusses:
- Security trends that CISOs must watch;
- The need for increased security spending to thwart cybercrime;
- Best practices to future-proof infrastructure and applications
As a principal analyst, Deshpande handles security aspects of Gartner's research. The worldwide lead for cloud storage forecasts, he tracks the cloud IaaS space closely, both from the APAC and global level, with a focus on the Indian market. He's closely aligned with the entire value chain of vendors and providers in the storage hardware market.
Asia Security Trends
Geetha Nandikotkur: What are the new aspects that will draw security practitioners' attention in 2015?
Sid Deshpande: Broadly, I'd expect about 25 percent of all enterprise data in the Asian region outside the network will be digital by 2018. Enterprise customers will adopt mobile first and cloud first, as there'd be a huge uptick on the cloud momentum and the cloud security market in 2015.
Organizations will be keen on investing in data-related activities and making companies resilient to cybercrime. The thrust is around:
- Data security of digital assets;
- The application layers;
- Network security.
Enterprises will invest more in security resources - no longer only for compliance reasons - and take risks seriously. I foresee outsourcing enterprise security processes to consulting services with good risk assessment practices.
Another big area is building skills and capabilities of CISOs across enterprises so they view security holistically and make it a critical part of the company's growth strategy.
One can anticipate a stronger consolidation between the security division and board members in understanding risk elements and a cross-functional approach.
Challenges and Lessons
Nandikotkur: What were the key challenges the security fraternity faced in 2014 and the lessons learned?
Deshpande: 2014 threw up a series of attacks, threats and breaches challenging the security community at every step. A large proportion was a combination of malicious threats, DDoS and APTs that affected the people and processes. CISOs battled sophisticated cyber-attacks as the cybercrime ratio soared.
The most important learning has been to realize the need and importance of devising a strategy to combat zero-day attacks by taking a risk-based approach. CISOs are now evaluating ways to move beyond basic security practices and find ways to deploy best practices in handling external threats. I clearly see the top management getting involved in enabling best security practices within organisations and to think about investment exclusively in the security framework.
Nandikotkur: How do you see the security spending curve in the APAC region this year?
Deshpande: According to an IT spending survey result we just came out with, I can clearly say that IT security is taking center stage among all enterprises. The APAC region witnessed 5.6 percent of the total IT spend on IT security in 2013, which increased to 8.3 percent of the total IT spend in 2014. This will go up significantly this year. Out of this, about 3.9 percent was spent on risk-associated technologies, 2.6 percent on application-related [technologies] and about 1.8 percent on infrastructure security. APAC takes a lead as compared to North America, EMEA and Latin America, whose IT security spending has been 7.4 percent, 4.5 percent and 3.4 percent of the IT spending, respectively.
Besides, our survey indicated that the IT security spending per employee in the APAC region is more as compared to other geographies. For instance, enterprises in the APAC region are investing $647 per employee, while it is $472, $476 and $415 in North America, EMEA and Latin America, respectively.
This year will also see 40 percent of enterprises investing in security data warehouse technologies, and 40 percent of them spending on developing forensic capabilities.
Based on our observation, we predict that by 2020, about 60 percent of the security budgets will revolve around solutions for rapid detection and response. Without any doubt, by about 2018, about 80 percent of the organizations across APAC will invest in end-point protection technologies for user activity monitoring.
Security Practices in 2015
Nandikotkur: Given the increased spending, what are the new areas of security practices that enterprises will administer in 2015?
Deshpande: Most important are the preventive measures. CISOs will largely leverage analytical tools and deploy solutions, detective analysis, and retrospective and predictive analysis to create an effective interface to communicate with each other. Threat intelligence is one important area, hence developing a product-based architecture that enables identifying various types of attacks and associated adversaries.
Skill development is another area - to develop expertise in vulnerability testing, risk assessment, penetration testing, forensic capabilities and form committees to develop an incident response plan.
These committees will have a centralized view of overseeing the security of the organization and make decisions on security needs and framework.
Cloud is taking a positive curve, and enterprises will get cloud ready by implementing appropriate security controls and threat prevention and data security solutions. Cloud-as-a-service is not a distant phenomenon, as I'd expect many organizations to deploy an application and deliver it as a cloud model. CISOs challenged on the governance part will take control over cloud governance and evolve an enterprisewide cloud policy to combat the business of shadow IT.