1. Are Australian IT security budgets increasing in 2013?
The Australian security technology and services market is forecast to reach more than A$1.7 billion in 2013, up 12.2 percent from $1.5 billion in 2012, according to the latest Gartner forecast. Spending on security has been relatively well protected in Australia over the previous two years, as the global financial crisis hasn’t put the same downward pressure on security budgets as it has elsewhere. Some reforms that are now taking place, such as changes to the Australian Privacy Act, will add further impetus to the consumption of services.
Spending patterns tend to differ across industry verticals. Financial services and government are traditionally the biggest spenders on security in Australia. The natural resources sector, however, is where we are seeing the biggest growth this year. Traditionally, organisations in this sector haven’t been big spenders, and while they still don’t want to spend very much, we are seeing a noticeable increase in spend. Some clients in this industry are now actively developing new security programs where they haven’t really had them before and are hiring chief information security officers (CISOs). These organisations are aware of the value of the assets that they have (particularly intellectual property) and are now far more aware of the risks that face this industry than in previous years, especially from factors such as information about mining opportunities, engineering capabilities, insider information on deals and so on. These are examples of real world business oriented risks that IT needs to respond to.
2. What are the major trends influencing security spending in Australia for 2013?
Gartner sees a nexus of four disruptive forces shaping the security market: mobile security, cloud computing, big data and changes to the concept of identity. Added to this is the ever increasing sophistication of advanced targeted attacks. I particularly get asked a lot of questions about cloud and mobility in Australia and how to take advantage of these industry forces while managing the risks. The advantage of developing a cloud strategy right now is that businesses can at least do some pre-planning and develop a relatively stable infrastructure approach that supports agility; however, this opportunity to plan ahead will evaporate quickly once organisations decide to utilise cloud without including the security team in the discussion. Smart organisations will realise in advance that there is going to be some security spend required with a planned uptake of cloud. Others will organically adopt cloud and then figure out that they need to spend something on security later on, possibly as a result of an adverse event, such as an audit finding or a security incident.
From a mobility perspective, there are so many organisations now that already have a BYOD program in place, whether they know it or not. With the move towards devices such as tablets, organisations are rethinking how they manage security. For example, the potential consequences for even simple mishaps, such as the consequences of the new privacy changes, will bring home to decision makers just how easy it is to lose sensitive information when it is sitting on a tablet, especially if the device is either lost or disposed of without having the right security precautions in place. The personal nature of these devices will help make security more visible to decision makers, and therefore, easier in some ways for security practitioners to get those issues on the table.
Smart organisations are realising that the effect of these forces is not short term. We will continue to see a more complex environment evolve over the next five years.
3. Will the changes to the Privacy Amendment Act impact spending?
The Australian Government passed the Privacy Amendment Act 2012, changing the Australian privacy landscape from March next year. Complying with these new and complex privacy concepts creates an added burden for companies, and risk-averse organisations should start preparing immediately. The privacy act contains some vague security requirements, although the Office of the Australian Information Commissioner is producing guidance to provide greater clarity. In the event of a significant complaint, an organisation that is unable to quickly demonstrate a program for compliance to the act may experience a painful investigation and penalty.
With our Security & Risk Management Summit coming up in August in Sydney, we did some market research that shows privacy is a higher priority that it has ever been before – it was in the top three focus areas. While not the same, security and privacy tend to go hand in hand and are closely related. Organisations will generally fall into one of three categories:
• Those who are on top of it as part of their ethos to do security well;
• Others who will at least be getting on top of it now in preparation so they won’t have any issues; and
• The laggards who will suddenly wake up when the new provisions to the Act become enforceable next year and wonder what they are going to have to do about it. Inevitably this third group will have some real problems.
The bottom line, as always, is to know what your risks are and then address them. If one of those risks is the possibility of a huge fine from the Privacy Commissioner or loss of customer confidence arising from loss of personal information, then this is an issue worthy of a response. Historically, privacy is not something high on people’s radar as the Act has not carried significant penalties. The changes to the Privacy Act represent an escalation on privacy risk and they are therefore likely to influence a shift in spending. This doesn’t necessarily mean that organisations are going to go spend a lot of money preparing for it per se; however, some funds might be reallocated or privacy might be a topic that gets greater boardroom focus.
