McAfee Releases 2011 Risk & Compliance Market Outlook Report

Last week, McAfee released a report titled “Risk and Compliance Outlook for 2011″ which has some shocking end-user statistics around risk management, patch management, policy compliance, and configuration management. First up – 41% of companies admitted they are not well protected (or not aware how protected they are) against security risks. Maybe not so shocking to those of you in the know, but that’s a lot of businesses that are openingly saying they are wide open for attack by Night Dragon, Aurora, Conficker and (add your favorite malware name here). The sad thing is I’m sure all of these companies actually have security countermeasures in place, but just like putting up sandbags in a storm, they are not quite sure if they will hold. The problem is most companies, from mom ‘n pop to global enterprises, treat security as an afterthought – they design their server room or data centers around the infrastructure that is going to enable them to be agile, efficient and productive, and then afterwards start considering piecemeal security options that won’t impact their core performance and availability concerns. The right approach would be to architect security into the infrastructure from the onset – with an integrated approach so that they have complete visibility into their risk and compliance posture at any point in time and have countermeasures that correlate information and work together to provide impenetrable defenses. It can be done.

But back to the report, how about 56% of companies say they are looking for “countermeasure aware” risk management? In essence saying they are only looking at threats and vulnerabilities right now as their only indicator of risk. That’s like a burglar ignoring the fact that my house has an alarm system and two gigantic dogs and trying to break in anyway in spite of the fact that my neighbor has nothing.

Another interesting stat – 49% of companies try to “over protect” by patching everything they can when a Patch Tuesday or Out of Cycle patch comes out. Imagine how much time and resources are being wasted patching a bunch of systems that didn’t need it. I was not surprised by this stat, but just wished people knew that technology existed to pinpoint exactly what needs to be patched. The ROI on that one is easy to prove.

Shifting gears to compliance, 50% of companies indicated they have 10 or more regulations to deal with and 20% of companies said they have 50 or more to deal with. So why is it when I walk into one of these companies, they all ask me about one specific audit they want to pass. “Hey, can you help us pass the PCI audit?” or ”Hey, can you help us get past the SOX audit this year?” I start the discussion with “How many regulations do you actually need to address each year?”And then proceed to tell them that 80% of of IT controls are consistent across all regulations, so how about we automate those and help you pass all 24 of your regulations, rather than just the one that happens to be next month?

24% of organizations admitted they spend more than $250,000 annually on auditors. Many companies are in the millions. Great business for auditors! I worked with one company that automated IT controls like we suggested and they saved 40% on auditors in the first year alone. Just a thought…

54% of companies admitted they failed an audit and 9% of organizations said they have paid fines (again, some in the millions of dollars) to either industry or government bodies. How much could have been saved?

Compliance is still big business – it is perceived as the main budget driver for 25% of all IT security projects. Which means CSO’s and VP’s have figured out how to use the right buzz word to get their projects financed. Many conversations I’ve had with CSO center around the fact that they are really trying to focus on risk management and fund it by telling the board they need to address compliance. This is not all bad – by focusing on risk management and automating visibility and security risk, you are addressing a lot of compliance issues as a byproduct.

Let’s end on a happy note – 46% of companies said they plan to increase budgets for risk and compliance solutions in 2011! The budget increase is 21%, on average. Besides the fact that all of us R&C vendors can be quite happy about that, is this a broader market indicator that the economy is back?

There is some great information in this report – download it for free from the McAfee site and have a great 2011!

Tags: enterprise, IT Security, malware, Risk and Compliance