Torben Pedersen

Consulting Manager
IDC CEMA

The Security Jungle

Assessing Risks, Costs and Solutions

IDC IT Security Roadshow 2006

www.idc.com
IDC IT Security Taxonomy
 Trying to Stay Ahead of Threats

Specialized Technical Knowledge Required

High Skill - Professionals
Reverse engineering Anti-
detection
Machine level programming packet forging /
Encryption knowledge
spoofing Tools
OS knowledge exploiting back
known doors stealth
Virus and hacker script writing vulnerabilities diagnostics
hijacking
Vulnerability knowledge
self-replicating
sessions Skill - Insiders
disabling
Limited programming code audits
(e.g. macros, scripts, and VBS) password
cracking
Automated programming
password
Low guessing Skill - Amateurs

1980 1985 1990 1995 2000 2005

Todays Security Market Issues:
Fighting the Flood

Confusion:
Still a lot of questions about whats needed
Reluctance to deal with multiple product
vendors

Media Attention
Builds Awareness
Focus on disaster stories

Risk vs. Threat
Trying to understand real and acceptable risk
Moving away from just combating threats

Perception
Security as a business issue or IT issue

Legislation
Compliance & regulation giving security
higher priority within the organization
What Drives the Security Markets?

Highly publicized security breaches at banks, utilities etc. both malicious

and accidental
Major virus-scares highlight weaknesses
Greater focus on data-protection and privacy and subsequent legislation
Lack of skilled security personnel and very high prices for those who are
available.
Sept. 11 and subsequent events greatly increases feeling of vulnerability and
changes the way security is viewed

Opportunities in security are fuelled by

Fear, Uncertainty, Doubt

Inhibitors To Growth of Security Markets
Complexity of
solutions

Lack of understanding risk Interoperability of

solutions
Complexity of solutions
Others
Little support at executive
level
Poor business justification
metrics
Wild media claims
Lack of Awareness No real leaders in many
of Threat areas
Little recognition at Market Consolidation
executive level
Lack of budget
Lack of budget

2000 2001 2002 2003 2004 2005

What are the Most Serious Threat Facing
Corporations Today?

Source: IDC 2004 survey of 600 firms across North America

Factors Affecting Deployment of Security
in North America Today
Increased Internet use

VPNs

Internal Security
breach
Government
regulations

Wireless LANs (802.11)

External Security
breach

E-commerce

Audit results

Corporate restructuring 10- 99 100-999

1000+
0% 10% 20% 30% 40% 50% 60% 70%

Source: IDC 2004, interviews with 859 CIOs across North America
Security Investment Priorities Among
Large Organizations in North America

Source: IDC 2004, interviews with 859 CIOs across North America
Importance of Security SW in Select CEE
Countries, 2005

7%

6%
Sec sw as % of total sw spending

5%

4%

3%

2%

1%

0%
CEE Croatia Czech Hungary Poland Slovakia Romania Russia

CEE companies spend 5% of their software budget on security!!

IDC Survey: Most Used Software Security
Among SMEs in the CEE Region

100

90

80

70
% of Respondents

60

50

40

30

20

10

0
AV Firewall/VPN 3A Sec Admin Encryption

Use Now Within Next Year No Plans

Source: IDC 2005 survey of 800 SMEs across CEE

IDC Survey: Least Used Software Security
Among SMEs in CEE

100

90

80
% of Respondents

70

60

50

40

30

20

10

0
Intrusion Det Incident Mgmnt Vulnerability Policy Compliance

Use Now Within Next Year No Plans

Source: IDC 2005 survey of 800 SMEs across CEE

 The Next HOT Security Topic
Information Leakage!

IDC developed term addressing companies internal

threats
Covers unauthorized distribution, whether intentionally
or inadvertently, of digital assets.
 3 key questions:
 What types of information are considered confidential or
non-public and need to be protected against leakage?
 Which exit points should be protected?
 Which user groups pose the greatest threat?
Key Drivers for ILD&P Adoption

 Information-intensive Regulations
 Sarbanes-Oxley
 HIPAA
 GLBA
 California SB 1386
 European Union Data Protection Directive
 Basel II
 The Mobile Enterprise
 Increasing email Usage
 Proliferation of Instant Messaging and P2P
Worldwide IT Security Software
Spending, 2005

Western Europe
$3.41 bn (28.6%)
CEE
North America $196.96 mn (1.6%)
$5.96 bn (50.0%)

Asia Pacific
$1.97 bn (16.5%)

MEA
$245.74 mn (2.1%)

Total 2005 = $11.9 billion

Romanian Security Software Market, 2004
Others IAM
Market Anchored Largely by 1.7%
5.5%
Basic SCM/AV Spending Still
Sec & Vuln
Plenty of Room for Increased Mgmnt
Threat
Mgmnt
Spending 8.5%
35.2%

Lack of Coordinated IT Security

Policies in Many Romanian
Companies = Basic Demands
Threat Management Now
Accepted in Romania
Little Demand So Far for Identity
and Access Management
SCM
Basic Infrastructure 49.0%

Development in Progress
2004 Revenue = $5.29 million

Spending up 17% in 2004

 Market Shares for Security Software in
Romania, 2004

Symantec Leads Overall Market Symantec

Based on Large Installed Base Others

and Complete Security Offering

Local Hero Softwin Holds a Key
Place in the Market
Security SW Spending Heavily
Concentrated in Telco, Banking RSA
and Public Sector Softwin

McAfee
EnTrust

Checkpoin
t

2004 Revenue = $5.29 million

Central Europe IT Security Market by Size
and Growth
Central Europe Security Spending by Technology
40%
% Growth 2003-2008

30% Appliances

ID&A Mgmnt SVM

20% SCM IT Services
Other SW

Threat Mgmnt
10%
Combined Regional
Spending of US$ 410.4
Million in 2004
0%
Relative Size of IT Spending, 2004
 Where Do We Go From Here?
Perception of Security
2-Speed Europe
Business
We Should
We May Security Seen More as a
Business Issue End Up
Be Going
Here
Here Fragmented Supply Side
Competition at High-End Business
Supply of Middle-Market Gets Second Rules!
Services Best

Fragmented Consolidated
Fragmented Supply Side
Security Seen as an IT Issue
Now IT Driven
High Confusion Levels
We Are
Here
Rat Race IT
 Questions?

Please email me at

tpedersen@idc.com