August 29, 2012 – People and process still make up the bulk of IT security concerns, but the next few years will be marked by parallel spikes in strategy to fortify enterprise data in the cloud and on personal devices, according to a new Gartner report.

In his “Top Security Trends and Takeaways for 2012 and 2013” assessment outlined Wednesday, Gartner Managing VP Ray Wagner put the cloud and consumerization, along with poor attack prevention, as the lone “tech-based” risks to enterprise IT. Other security threats feature a technical component, but have “more to do with being able to identify practices and procedures” within the enterprise, rather than deployment and tools. And, in the instance of the cloud and BYOD, they are rising to the top of Gartner’s annual review of the security landscape.

In terms of the consumerization of enterprise data, Gartner puts 70 percent of the mobile workforce operating entirely via personal “smart” devices by 2018, which Wagner says he feels may be a low-ball figure. On the security front, Wagner says the problem behind the enterprise savings and user freedom with consumerization becomes “managed diversity”: different security profiles, a range of levels of trust with users and devices, and a diverse set of end points. Setting up a framework of mobile device management means asking questions on device security levels, passwords, encryption, and user disposal and awareness. Wagner adds that managing device security may involve acquiring virtual machine technology or new access portals for at least some transactions.

As more enterprise operations and projects move into the cloud and as-a-service offerings, Wagner says IT security concerns should increasingly play out around finding the protection behind what is being bought and the risk level with the information being deployed. There are more enterprise controls over large-scale data center deployments, for instance, compared with a SaaS solution, though the risk and backup involved with that data also varies. Where it’s increasingly tricky for enterprise IT security officers rests in about half of the cloud security decisions that are murkier in terms of oversight and accreditation, Wagner says.

“This is where you have to decide whether to trust and how much to trust that internal [cloud security] service. You may need to use a third-party or some custom assessments, and there seems to be more work to do,” says the security analyst, adding that full, enterprise-level cloud assessment standards are as far as five years off.

As a whole, the 10 top security trends moving into the next year are, in no order of importance:

  • Network security/security markets
  • Data security
  • Security monitoring
  • Consumerization/mobility
  • Identity and access management
  • Cloud security
  • Business continuity and disaster recovery
  • Privacy
  • Information governance and IT security
  • Security program maturity

To take new or further action on these items over the next six months, Wagner recommended mapping key indicators into business KPIs as well as establishing processes for estimates on the life cycle and effectiveness of security controls. Over the coming 12 months, CIOs, CROs and CISOs should develop a long-term strategy for continuous security improvement and deliver an executive reporting scheme that addresses security needs to a business audience.