Regulations, security failure costs will keep security VARs healthy through 2010

By Kevin Fogarty, News Director 31 Oct 2006 | SearchSecurityChannel.com

Digg This!     StumbleUpon     Del.icio.us

A new report from International Data Corp. is putting recent data behind the security adage that processes and people are more important than technology in preventing either malware infections or breaches of sensitive data.

Aspects of a security business Home network security market grows with little fanfare Creating security policies for enterprise customers Win return business by finding the root of your customers' security problems

Sponsored by the non-profit International Information Systems Security Certification Consortium -- (ISC)2 -- the report ranks the most important elements of a security infrastructure.

The top three include support from top managers for security policies, the need to have users consistently follow security policies and an IT department or solution provider with a qualified staff with up-to-date training. Security software and hardware don't show up as factors until after those top three are met, the report said.

The good news is that responsibility for establishing and enforcing a security policy is more often spread throughout top managers in IT as well as business managers, rather than specialists who operate at the margins of the business, rather than at its core.

That change is partly driven by a greater awareness of the risks of electronic break-ins, the acceleration in the number of threats a typical company faces and the cost of having sensitive data compromised.

Those human responsibilities and the proper maintenance of both policies and technology, often difficult to cure without consulting and ongoing services and support from outside, are a perfect target for value-added resellers (VARs) and security consultants, according to Jeff Kaplan of THINKstrategies Inc. in Wellesley, Mass.

According to a report from the Ponemon Institute, data breaches cost U.S. companies an average of $182 per compromised record – 31% more than last year.

Costs include everything from production and postage for notification letters to legal fees to absorbing the cost for credit-monitoring subscriptions customers can use to spot any potential fraud stemming from the data loss, to the cost of losing a customer altogether.

The Elk Rapids, Mich.-based consulting company studied 31 companies that had suffered significant data breaches, the total cost of which ranged between $1 million and $22 million.

The IT costs, beyond the addition of preventative measures, were negligible.

The problem, according to the Ponemon report that was published in March, is that few companies can identify a specific person or department that is responsible for protecting all a company's data. Assigning that responsibility improves security measurably, the report said.

IDC's finding, published Monday, is a step forward in that area, not only for the end-user companies, but also for the service companies they hire to reinforce their own efforts.

IDC estimates that the global population of IT professionals increased 8.1% between 2005 and 2006, and will continue to rise at about 8% per year through 2010.

Among those employing the new IT workers, education in information security and risk management has become the No. 1 goal. Business continuity and forensics follow closely behind.

End-user organizations spend an average of 41% of their security budgets on personnel and training.

Those factors, plus the increasingly stringent financial-documentation requirements of U.S. and European companies have caused a number of previously disparate functions to merge into a market defineable as centering on "security compliance and control" (SCC).

SCC products and services include content control, information-security auditing and documentation, version control, records management, vulnerability management, identity and access management, and compliance services.

IDC estimates that products and services that can be described as falling under the SCC banner will reach $7.4 billion by the end of the year.

Much of that market – certainly the products and most of the services – will be fulfilled by value-added resellers and specialty security services companies, analysts said, making security a strong and stable market for VARs and integrators through at least the end of 2010.

Tags: Business risk assessment and risk analysis,  Selling Regulatory Compliance Services,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Business risk assessment and risk analysis Loss leaders: Security products and services to get a foot in the door Getting to know the NERC CIP standards The intersection of security and disaster recovery Remote vulnerability scanning: Process, roles and responsibilities How to perform a network security audit for customers Creating your checklist and Summary How to generate revenue from unified threat management Unified threat management: Migration and management techniques Unified threat management: An intro for solution providers Podcast with Dr. Paul Rohmeyer on choosing a remote management platform Regulatory Compliance Red Flags Rules compliance: Are your customers informed? PCI compliance guide: A resource for solution providers PCI DSS pre-assessment services: Prelude to a QSA The impact of PCI compliance on the channel Compliance drives opportunities for security integrators How to turn the HIPAA compliance changes into opportunities Data protection services offer revenue for security solution providers Agiliance and McAfee partner for better governance, risk and compliance services SonicWall announces partnership with Western NRG Building a framework-based compliance program Selling Regulatory Compliance Services PCI compliance opportunities for security resellers Global compliance services a competitive advantage for resellers Instant messaging security addresses risks, compliance Data theft creates a rich product, service market for security VARs Identity-based security tools give customers control of users, not just ports The security consultant's role in regulatory compliance Sarbanes-Oxley: An email security selling tool

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary