Complex Cyber Threats Creating New Managed Security Services Opportunities

As breaches and cyber threats continue to mount, so do the government and industry regulations designed to increase enterprise security, fight consumer data theft, and protect the critical infrastructure. And, as the complexities of security and regulatory compliance increase, so does the need for organizations to turn to the expertise of the channel to manage risk more effectively.

According to a recent report by Global Industry Analysts, the market for managed security services will reach $8.4 billion by 2015. A separate report, from the same group, pegs the market for all IT security products and services at $125 billion that same year.

Consider the recent Epsilon breach, where many dozens of companies had their customer contact information stolen. Following that breach, there's been talk in Washington D.C. of even more stringent privacy laws for companies that handle customer data. And this comes at a time when the industry already faces stern data security laws.

This March, the state of Massachusetts fined restaurant chain Briar Group LLC $110,000 over allegations that the company failed to adequately protect patrons' personal information following the planting of a malicious program. The program reportedly enabled the theft of customer credit card information. The Briar Group was one of the first companies fined under that commonwealth's new data privacy law, 201 CMR 17.

Sponsored post

Consumer information and credit card data are not the only places where regulatory demands are ratcheting up. The action also is occurring in health care, critical infrastructure, financial services, and other areas.

"Three or four years ago, companies were looking to check boxes just to get 'compliant' and be able to pass an audit," says Cindy Bellefeuille, director of governance, risk, and compliance services at New York-based Verizon Business.

"Today, they are looking to get a risk-based security management program in place. And rather than start with a compliance mandate or program, they are asking us to help them understand their business, understand their risk, and build a security program that makes sense," Bellefeuille adds. "Compliance then builds from that."

Next: Prescribing A Regulatory Compliance Fix

In the race to deploy electronic medical records (EMRs), the health-care industry is undergoing perhaps the most rapid regulatory and security change. According to market research firm Kalorama Information, the market for EMRs hit $15.7 billion in 2010, with an annual growth rate of 13.6 percent.

In early 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009. The objective of HITECH is to promote the adoption and meaningful use of health information technology. Subtitle D of the act addresses the privacy and security concerns associated with the electronic transmission of health information. Noncompliance and the mishandling of patient electronic records can net fines of up to $1.5 million.

The result is that many organizations involved in the delivery of care -- insurers, providers, doctors offices, labs, and others -- need help not only obtaining a level of compliance to HIPAA (Health Insurance Portability and Accountability Act) and HITECH, but in figuring out how to secure the EHRs they're deploying. "They need to find their security and compliance gaps, secure their databases, networks, and Web applications," explains Edward Schwartz, chief security officer at network security firm Netwitness, recently acquired by EMC to become part of its RSA security unit. "There is a lot of work for them to do," says Schwartz.

That's no understatement. By the end of 2010, according to the U.S. Department of Health and Human Services' Office for Civil Rights, which began tracking breaches that affect 500 or more people back in Sept. 22, 2009, there have been 214 incidents that involve more than 6.3 million.

"Here we have a very complex industry, and it wants to move to the electronic distribution of records," says Schwartz. "It's worse than what happened with online credit card transactions and the Payment Card Industry Data Security Standard (PCI DSS). This will be very challenging from a security perspective."

Some of those challenges include the relative lack of technical sophistication at many smaller providers in the health-care service delivery chain, the rapid deployment of new medical record technology, and tight budgets. Few of these organizations have the expertise in house to craft a security architecture around their systems. "Organizations need to take a close look at what they are good at, and what they are not good at," says Schwartz. "They are good at paying claims and providing services, but if they can't afford a substantial security team and supporting technology, it's time they start thinking about outsourcing for those skills."

Next: Keeping The Lights On -- Critical Infrastructure Security Defenses

Compliance and security-related spending also is increasing in critical infrastructure and utilities.

A recent survey produced by the Center for Strategic and International Studies (CSIS), and funded by IT security firm McAfee, found a startling gap between where critical infrastructure security actually is today and where it should be. The survey consisted of 200 IT security executives from critical power infrastructure providers in 14 countries. It found that 40 percent of those surveyed believe that their industry has become more vulnerable than the prior year; about 30 percent also believe their company is not prepared for a cyber attack.

To improve resiliency against such attacks, the bulk power generation industry is working now to comply better with NERC's Critical Infrastructure Protection (CIP) regulations. CIP regulations are designed to help the bulk power generation and delivery infrastructure by establishing a minimum acceptable level of risk. It does so by requiring thorough log collection and analysis, access control, reporting, deployment of intrusion detection/prevention systems, and other controls. Solution providers who have worked extensively with utilities say that, while many utilities have improved from where they were a few years ago, there still is much more to be done. "Many utility companies are extremely vulnerable," says Eric Knapp, director of critical infrastructure markets at NitroSecurity.

To harden those vulnerabilities, utilities are deploying more traditional IT technologies such as firewalls, intrusion detection systems, and security information and event managers around crucial systems, Knapp explains. They're also increasing their use of security-related services. "We see them requesting more penetration tests," he says, so that utilities obtain a better view of the viability of their entire security architecture.

"Critical infrastructures are going through the same kind of growing pains as the IT industry has over the years," adds Mike Sconzo, principal security consultant at NetWitness. "The first version of the CIP standard consisted primarily of security box checking; however, many are now moving toward more risk-based assessments. A lot of people are realizing that risk-based security management is not such a horrific idea," he says.

That means more utilities will be looking at compliance as a continuous process, rather than a once-a-year event. They'll need help, analysts say, with regular vulnerability assessments and penetration tests, and building the processes necessary to maintain a sustained level of acceptable security.

"The key is getting everyone involved to realize that security is a continuous process; just as many in IT learned basic security best practices a decade ago and built from there, so must utilities and other critical infrastructures," says Sconzo.

Next: Dollars and Cents -- Long Term Governance Cuts Costs

Another area where solution providers can help enterprises with their regulatory efforts is by providing them the guidance they need to streamline.

Organizations need help trimming duplicate processes, identifying areas that reap more return on their effort, and finding gaps between where their programs should be and where they actually are today. Broadly, these efforts fall under the once-stalled Governance, Risk, and Compliance (GRC) market. According to Forrester Research, the GRC platform market grew to $749 million in 2010 from $635 million the prior year, and is expected to grow at an annual clip of 20 percent.

"Companies of all sizes and in many verticals are looking to improve their security and compliance operations," says Verizon's Bellefeuille.

For instance, many organizations may have duplicate security controls in place -- such as password rules, vulnerability assessments, identity management controls -- for Sarbanes-Oxley, HIPAA, and PCI DSS -- and they need to find a way to coalesce these efforts. "They want to get away from the situation where they have different policies for each regulatory demand, and build a more sustainable, cost-efficient program," Bellefeuille says.

One misconception is that compliance is expensive. That may not be the case, if the Ponemon True Cost of Compliance study, is accurate. According to that report, the extrapolated average cost of compliance for 46 organizations came to more than $3.5 million, or about $222 per employee.

Surprisingly, the study found, the cost of noncompliance for 46 organizations was much higher, at $9.4 million, or $820 per employee. The cost of noncompliance, according to Ponemon, includes factors such as business disruption, productivity loss, revenue loss, fines, and penalties.

"If the solution provider has a strong background in security, it can show the organization how to be smarter about risk reduction," says Pete Lindstrom, research director at security market research firm Spire Security.

"The goal should be to automate as much of the compliance management as possible, identify all of the controls an organization has in place, map those controls to what they're doing operationally, and then look for ways to make the program and audits more efficient," he says. "It doesn't matter what industry or number of regulations an organization falls under; every enterprise should be trying to improve its compliance efforts this way."