Security and Identity Access and Management Outlook

North American Enterprise IT Users – Security and Identity Access and Management Outlook Prepared by The Strategic Counsel for CA Key Findings North American organizations continue to be challenged with security and compliance issues. Increasingly, they are using Identity Access and Management Solutions to improve security and compliance. CA’s continuing development of its Identity Access and Management (IAM) products appears to synchronize with organizational trends toward integrated security solutions that support existing processes and layering security information management functionality on top of core IAM infrastructure. To explore IT security and Identity Access and Management trends and developments, The Strategic Counsel conducted a survey of 642 large North American organizations covering: • IAM Expectations • Critical Factors in IAM Solution Choice • Security Challenges and Costs • Security Investment • Impact of Lagging Security Investment • Most Important Areas for Additional Security Spending • Key Inhibitors to Additional Security Spending • Graphics • About the Survey IAM Expectations North American organizations are investing significantly in IAM. More than 75% of the organizations surveyed have implemented some form of IAM functionality, with a further 14% planning to implement or roll-out an IAM solution over the next 12-18 months. The key focus areas for IAM investment center on security, compliance and efficiency. Amongst those surveyed: • • The highest ranked primary delivery requirements for IAM investment are improved security, improved regulatory compliance, and better IT department efficiency and cost reduction In order to achieve these deliverables IAM investments/implementations are most expected to produce: o Improved customer and end-user self-service capabilities o Single sign-on o Improved audit capability and transparency o Better user account management IAM Environment The survey data shows stove-piping of identity and access may be playing a significant role in diminishing organizational efficiency: • • • 6% of the organizations surveyed are able to provide new employees or contractors with access to all the applications or systems they require on their first day of work o More than 55% are unable to provide new employees or contractors with access to more than half of the applications or systems they require to do their jobs on their first day of work 78% of the organizations surveyed use application-specific directories for their key enterprise applications 64% of the organizations surveyed run application-specific authorization policies for their key enterprise applications Critical Factors in IAM Solution Choice Study respondents indicate integration and support for existing security infrastructure and processes are the key considerations in IAM solution choice. Most Important/Critical Factors: • Ability of vendor’s software to integrate with existing systems • How well vendor’s software fits with organization’s IAM processes • Solution features and functionality As well, factors ranking highest for secondary importance in IAM solution choice point to market movement toward integrated, end-to-end solution providers rather than best-of-breed point solutions: • A one vendor, integrated, end-to-end solution • Ease of implementation • End-user ease of use Security Challenges and Costs There has been significant growth in the number of organizations suffering known security attacks over the past three years. More than 84% of large North American organizations have suffered an identified security attack over the past 12 months compared to two-thirds in 2003 and 75% in 2004. The nature and understanding of security challenges has also changed: • Three years ago relatively few large North American organizations (less than 20%) suffered identified network attacks and denial of service attacks o Currently 44% of large North American organizations say they have dealt with network attacks over the past 12 months o 33% say they have dealt with denial-of-service attacks over the past 12 months o 38% identify internal breaches of security as a key security challenge dealt with over the past 12 months The increasing incidence and scope of threats has serious consequences for large North American organizations. 54% report lost workforce productivity as a result of security attacks over the past 12 months and 20% report lost revenue, customers, or other tangible assets. Organizational image and public perception are also key areas of concern in dealing with security attacks. Public embarrassment, loss of trust/confidence, and damage to reputation were identified as key costs suffered from security attacks or breaches by 25% of respondents. In fact, only lost productivity ranks higher as a cost suffered due to security attacks/breaches. Security Investment The survey results point to Identity Access and Management (IAM) solutions being a key area of security and compliance investment. Improved security and regulatory compliance are identified as the critical, primary benefits of IAM by study respondents. The high identification of IAM with security and compliance improvements appears to be generating strong growth rates for IAM solutions. Based on the forward-looking implementation and roll-out plans provided by respondents, 18% growth in the large North American organization user base for IAM over the next 12-18 months may be possible. On a sour note for overall IT security investment, 37% of respondents believe their organization’s spending on IT security is too low versus only 1% who believe it is too high. Impact of Lagging Security Investment Study respondents who indicate the proportion of their organization’s IT budget devoted to IT security is too low report a higher incidence of security attacks than those who believe their IT security spending is accurate. Those who believe their IT security spending is: • Too Low: 77% suffered a virus attack in the past 12 months • Adequate: 63% suffered a virus attack in the past 12 months • • • • • • Too Low: Adequate: Too Low: Adequate: Too Low: months Adequate: months 40% suffered a network attack in the past 12 months 44% suffered a network attack in the past 12 months 32% suffered a denial-of-service attack in the past 12 months 32% suffered a denial-of-service attack in the past 12 months 49% suffered an internal breach of security in the past 12 31% suffered an internal breach of security in the past 12 Most Important Areas for Additional Security Spending 1. Automated security event detection, logging and response 2. More end-user security and threat awareness 3. Improved vulnerability assessment Key Inhibitors to Additional Security Spending 1. Complexity of security software 2. Little recognition of security problems at executive level 3. Lack of awareness of security threats Graphics S e c u rity C h a lle n g e s Virus attack 68.5 On the Rise Network attack 44.1 TOTAL Internal breach of security 37.7 Denial-of-service attack 32.7 0 10 20 30 40 50 60 70 80 90 100 Percentage N=642. Q25. What types of security challenges has your organization dealt with over the past 12 months? Source: The Strategic Counsel, 2006 S tr Ic tly P rIv Ile g e d a n d C o n fId e n tIa l C o s ts o f S e cu rity A tta ck s Lost productivity Embarassment Loss of trust/confidence Damage to reputation Reduced customer satisfaction Loss of business/revenue/customers Loss of confidential information Loss of intellectual property 0 10 27.6 26.6 23.4 TOTAL 22.3 19.6 17.0 15.1 20 30 40 50 60 70 80 90 100 54.2 Not as high as three years ago Higher than three years ago About the same as three years ago Percentage N=642. Q26. What impact have these security challenges had on your organization? Source: The Strategic Counsel, 2006 S tr Ic tly P rIv Ile g e d a n d C o n fId e n tIa l L e s s In ve s tm e n t = M o re A tta c k s 77.2 62.9 Virus attack Network attack 40.0 43.8 Those who invest less tend to suffer more IT security investment is: Too Low Adequate Internal breach of security 48.8 31.1 Denial-of-service attack 31.9 32.0 0 10 20 30 40 50 60 70 80 90 100 Percentage N=642. Q25 and Q27. What types of security challenges has your organization dealt with over the past 12 months? Do you think the percentage of your organization’s total IT budget devoted to IT security is too low, adequate or too high? Source: The Strategic Counsel, 2006 S tr Ic tly P rIv Ile g e d a n d C o n fId e n tIa l M o s t Im p o rta n t A re a s F o r A d d itio n a l S e cu rity S p e n d in g Autom ated security event detection, logging and response More end-user security and threat aw areness Im proved vulnerability m anagem ent Im proved audit capability More m onitoring tools Im proved policy enforcem ent System s integration of existing security products Better data encryption capabilities Im proved com pliance assessm ent/sustainability Single sign-on Im proved asset m anagem ent More C-level s e curity and thre at aw arene ss Im proved dashboards and other BI More security adm inistration staff More event correlation tools 37.1 37.8 31.6 32.1 29.9 35.1 33.3 35.6 35.6 33.3 30.1 31.6 32.8 31.3 27.1 46.8 44.8 46.3 40.8 42.3 39.3 39.1 39.8 41.3 38.1 36.6 35.8 39.1 45.4 42.0 15.4 16.4 18.7 18.2 20.4 19.4 20.9 20.1 21.4 20.9 21.1 24.1 24.4 21.9 27.9 2.0 3.7 3.0 5.0 3.5 4.7 3.5 5.0 4.0 6.0 7.5 6.2 6.2 10.9 6.0 Overall, the top areas are positively associated with Security Information Management 0 10 20 30 40 50 Percentage 60 70 80 90 100 Extremely Critical Critical Neither Critical nor Not-Critical Not Critical N=642. Q14. If you had more money to spend on security, how critically would you rank the following areas for additional spending? Source: The Strategic Counsel, 2006 S tr Ic tly P rIv Ile g e d a n d C o n fId e n tIa l K e y In h ib ito rs to A d d itio n a l S e cu rity S p e n d in g Com ple xity of se curity softw are 16.7 37.6 26.9 18.9 Little executive recognition of security problem s 15.4 33.1 27.4 24.1 Lack of aw areness of security threats 14.7 33.1 27.4 24.9 Cannot find products to m eet functionality requirem ents 18.2 29.1 30.1 22.6 Poor interoperability of solutions 15.2 32.1 33.1 19.7 Poor m anageability of solutions 15.2 30.8 31.8 22.1 Poor business justification m etrics 13.7 29.9 32.3 24.1 0 10 20 30 40 50 Percentage 60 70 80 90 100 Completely Inhibits Neither Inhibits nor Does Not Inhibit Inhibits Does Not Inhibit N=642. Q16. If you had more money to spend on security, how critically would you rank the following areas for additional spending? Source: The Strategic Counsel, 2006 S tr Ic tly P rIv Ile g e d a n d C o n fId e n tIa l C ritic a l F a c to rs in IA M S o lu tio n C h o ic e Fit w ith organizational IAM processes Ability of vendor's softw are to integrate w ith existing system s Ease of im plem entation End-user ease of use Solution features and functionality Ease of m anaging and adm inistering solution Scalability System integration costs Ongoing softw are license and m aintenance costs Out-of-box functionality Initial license price Rapid im plem entation Integrated end-to-end solution Best-of-breed functionality Support for B2B, B2C and B2E Vendor's IAM roadm ap Solution built on open architecture 42.8 44 41.8 41.8 42 41.3 41.3 39.1 37.3 37.1 36.3 34.8 30.6 33.3 32.1 30.3 29.6 41.8 40.5 42.5 42.5 41.3 41.3 39.8 39.3 40.5 40 40.5 40.8 43.5 39.6 40.3 41.5 40.5 12.4 13.9 13.9 12.9 12.9 14.4 15.9 17.4 19.2 17.4 19.2 20.1 18.2 21.4 20.4 23.1 20.4 9.5 3 1.5 1.7 2.7 3.7 3 3 4.2 3 5.5 4 4.2 7.7 5.7 7.2 5 0 10 20 30 40 50 Percentage 60 70 80 90 100 Very Important Important Neither Important nor Not-Important Not Important N=642. Q11. When making the final purchase decision for your investment in IAM, how important are or were the following? Source: The Strategic Counsel, 2006 S tr Ic tly P rIv Ile g e d a n d C o n fId e n tIa l About the Survey The cross-North America survey of large North American organizations was conducted by The Strategic Counsel over January-May of 2006. The survey was conducted across the manufacturing, government, financial services, retail, communications, healthcare/pharmaceuticals, and oil & gas sectors and the survey sample size was 642. Survey margin of error ranges from +/- 2.6 to +/- 3.8 at a 95% confidence level. About The Strategic Counsel The Strategic Counsel is one of the fastest-growing research firms in North America. Established in 1995, The Strategic Counsel is the official polling firm for prominent national news and media organizations and works with a broad range of clients. The Strategic Counsel has gained an enviable reputation for accurate, innovative, clientfocused market research that gets results. For information visit www.thestrategiccounsel.com.