Security is in a "trough of complacency" in the boardroom but getting it back on the agenda depends on security officers taking a different approach -- evaluating the benefit of protecting against tomorrow's threats, not yesterday's, according to one analyst.
Security has dropped off the list of priorities for CIOs due to an inability to calculate the effect it has on the bottom line, and a lack of foresight on the part of some security professionals, according to Gartner's research vice-president and security specialist Jay Heiser, who addressed the Gartner Symposium yesterday.
"I've had a lot of security officers tell me that there's no way they can do what they need to do to secure a network and come in under budget, but throwing money at it isn't going to solve the problem," he said.
Matthew McGlashan, team coordinator at the Australian Computer Emergency Response Team (AusCERT), said that while the value of security is difficult to calculate in dollar figure terms, security officers "need to be able to show a return on investment to the business".
McGlashan believes that one of the only effective ways of doing this is for security personnel to show what breaches have happened elsewhere as a means of illustrating security's continuing importance to the enterprise.
"There's almost no correlation between the effectiveness of security and the level of spending: in fact, the better the security the harder it is to account," said Gartner's Heiser, because there are no means to calculate what could have been lost from a potential breach.
He claimed that enterprise security officers are often forced into a zero sum game where they have to appear to be doing something about every possible risk at any given time, putting considerable strain on budgets and staff.
"Part of the problem is that IT managers can't identify a potential threat and then say to business managers that they're choosing not to mitigate against it," said James Turner, security analyst at Intelligence Business Research Services (IBRS).
Gartner's Heiser proposed a new security model -- Security 3.0 -- based on determining acceptable risks and anticipating future threats rather than over-allocating resources to current dangers.
"We've got to change the orientation from after the fact to anticipating what the next move is going to be," he said.
IBRS's Turner described the current environment as an "arms race", adding: "As soon as you implement one measure a new attack evolves, it would be really good if we could see into the future, and I suppose we need people to try and encourage us to do so."
He believes that the most important step in the evolution of risk management is the response of professionals to the new breed of attackers, as security officers are now squaring up against highly organised cybercriminals, and not just "lone wolf hackers" as they once were.
This has "definitely raised the stakes for security professionals", he said.
According to Gartner's Heiser, the most effective security regimes of the future would employ emergent technology as a means of reducing the threat posed by users in the security equation, saying that leaving it up to users to secure their own systems effectively was "essentially anarchy".
Heiser said that Mandatory Access Control (MAC) is an example of a recent technology which still allows users access to sensitive data, but limits what they can do with it. In the case of a document MAC can give administrators control over user operations such as copy and paste and printing, and disable them should they deem it necessary.
IBRS's Turner concluded: "The value in what Heiser is talking about is that it raises awareness about security, if it needs to be attached to a catchy term like Security 3.0 to get peoples attention then I don't see the problem with that."