For the last twelve years, 100% of CIOs have said that they expect to spend more on IT security, making security the only category that just keeps on absorbing investment. Every year in the last three years, over 80% of enterprises have said that their IT security still needed improvement. So, like death and taxes, is security spending growth inevitable? If we keep on the way we have, it sure seems like it. But what might change?
Let’s start with what’s important to users. External threats, meaning hacking, are a problem for every CIO. Internal threats, from badly behaving employees, are a problem for three out of four. Data theft is a universal fear, and malware that interferes with applications and operations is an important problem for over 90% of CIOs. As far as approaches or targets are concerned, 100% say access security on applications and data is essential and so is regular malware scanning. If you ask CIOs to pick a single thing they think is essential for IT security, it’s access security.
Access security, according to CIOs, is ensuring that applications and data are accessed only by those with the right to do so. If you have it, they believe, then hacking poses little threat because hackers won’t be authorized. Malware that impersonates an authorized user may still have to be addressed, but access security can limit the scope of what malware can do. It’s no wonder that every security vendor offers something in access security, and it’s no wonder that the hottest topic in security, zero-trust security, is a form of access security. Given that access is almost always via a network connection, it’s reasonable to ask whether network security features could enhance access security and zero-trust, and maybe even slow the growth of security spending overall. If you can’t connect to it, you can’t hack it.
Let’s dissect that by starting with a critical statement: Zero-trust doesn’t mean there is no trust, it means that trust is never assumed. That which isn’t assumed is explicit, and that means that all true zero-trust strategies depend on deciding what information connections are valid. One way to do this is to require…