Survey: Security Chiefs Expect Boost In Cloud Security Spending

The continued adoption of SaaS-based services and the shifting of data center resources to public and private cloud environments may be forcing organizations to shift IT spending to initiatives that support data protection, monitoring and managed security services.

The elasticity of the perimeter is growing increasingly difficult for security professionals to control, according to a survey of nearly 150 security chiefs conducted by IBM. Security budgets are expected to increase over the next three to five years, the security chiefs said.

The budget increases could be a boon for managed security services providers and the flood of emerging vendors selling security analytics, automated incident response and advanced threat detection capabilities, said Kris Lovejoy, general manager of IBM's security services division. New technology paradigms are going to require a skilled partner ecosystem of systems integrators, consultants and regional managed services providers with strong security practices, said Lovejoy, also a senior IT architect and systems engineer at IBM.

[Related: Intel Exec Tells Partners Missed Security Services Opportunity 'Criminal']

Sponsored post

"None of us has the ability to do everything," Lovejoy said. "The MSSPs often have skill sets in an application environment or a particular concept that feeds the architecture."

Solution providers tell CRN they are starting to see a rise in the number of opportunities in the pipeline driven in part by high-profile data breaches and more awareness about data security. In some cases, customers don't have the budget but they're beginning to assess what they have to prepare for security improvements, said David Sockol, president and CEO of security consulting firm Emagined Security.

"Customers are seeing through all these breaches that their data is vulnerable, especially in the cloud where they often don’t have as much control over data and processes," Sockol said. "They're starting to put protections in place around their cloud assets."

Cloud security remains a top concern for businesses, according to a variety of recent studies. The National Security Agency's extensive surveillance program, which surfaced last year, has prompted a better understanding about the privacy of data stored in cloud-based services, but it hasn't slowed the pace of adoption. About 85 percent of organizations are now moving to the cloud, survey respondents said. Protection against organized cybercriminals, hacktivists and governments that conduct cyberespionage put intellectual property at risk, according to the IBM survey.

NEXT: IBM, Other Vendors Rapidly Building Out Services Capabilities

There are a variety of point products on the market that address some of the concerns identified in the IBM survey, but they may be causing some confusion among organizations willing to spend money on new technology, said Edward Ferrara, principal analyst at Forrester Research. Ferrara said he doesn't expect a frenzy of acquisition activity, but managed security services providers and vendors with services arms will likely expand their products and services over time.

"There are too many point solutions out there or there aren't enough people who can implement and make this stuff work, Ferrara told CRN. "Vendors are taking the approach that what is needed is a broader portfolio of products combined with managed and professional services."

The trend may be a boon to regional solution providers with strong security practices, Ferrara said. Recent activity includes FireEye's acquisition of Mandiant for its services practice. BAE Systems acquired MSSP Silversky in a deal revealed last month.

Small and midsize businesses want the additional capabilities delivered in the cloud and that often requires increased security, but they often want it outsourced or managed, said Trish Southwell, executive vice president of sales operations at Frederick, Md.-based solution provider and security consultancy Patriot Technologies. Southwell said Patriot Technologies went from delivering infrastructure to building out its security practice and learned that finding the right talent is critical to delivering security products and services, she said.

"The partners have to be as educated calling on an enterprise account as they do an SMB if they want to be relevant to the client, but I think the clients need to know more about the whole security portfolio, not just point products," Southwell said. "Everybody has a lot of security products, but the value proposition is being able to go into a client and determining what they really need."

IBM's Lovejoy said the company has made managed security and professional security services expansion a key part of its overall strategy and wouldn't rule out acquisitions of strong regional MSPs. The company partners with AT&T and is rapidly expanding capabilities to include SaaS-based security offerings, professional security services engagements and a larger range of security services, beyond traditional IBM customers that adopt Big Blue's Tivoli line, Lovejoy said.

Organizations should be focusing on the quick wins first, said Paul Bivian, who serves as chief information security officer at the city of Chicago. Speaking at the Intel Security Focus conference last week, Bivian said patching and vulnerability and configuration management are areas that matter most. About 5 percent to 7 percent of the city's IT budget is dedicated to information security, he said.

"We are trying to develop a risk-based decision making model for the city of Chicago," Bivian said. "[To bolster security spending] we got creative with Cook County and created a strategic plan that enabled us to get federal funds."