Launch of Forrester's 2010 Security Survey

We’re just ramping up at Forrester to start our 2010 Business Data Services’ Security Survey. To begin, I’ve started taking a measured look at last year’s questions and data. Additionally, I’ll be incorporating input from those analysts with their ears closest to the ground in various areas, and will be considering the feedback from our existing BDS clients.

I also welcome input here into what you would find useful for us to ask of senior IT security decision-makers, as development of the survey is take place over the next three weeks.

The survey is scheduled to be fielded in May and early June—with the final data set becoming available in July. The projected sample size is 2,200 organizations across US, Canada, France, UK, and Germany: split roughly 2:1 between North America and Europe, and with a 55/45 split for SMBs (20-1000 employees) vs. enterprises (1000+ employees). Concurrently, we ask a separate set of questions to respondents from “very small businesses” (VSBs) with 2-19 employees.  We also set quotas around industry groupings, so each industry is appropriately represented. We source our panel from LinkedIn, which provides an excellent quality of respondents.

The Security Survey is an invaluable tool that provides insight into a range of topics critical for strategy decision-making: IT Security priorities, challenges; organizational structure and responsibilities; security budgets; current adoption and across all security technology segments, be they as products or as SaaS/managed services, along with associated drivers and challenges around the technology.

Here are a few valuable data points from last year’s survey:

  • Contrary to popular wisdom, enterprises are adopting managed security services more quickly than SMBs in 9 of the 12 security service categories we asked about
  • IT Security decision-makers expressed even more concern about consumerization (smart phones, web 2.0, etc) than about cloud or virtualization.
  • The level of compliance with PCI showed little progress: from 2007 to 2009, PCI compliance only rose from 46% to 51% among enterprises, and from 35% to 47% among SMBs. North American organizations are still not where they should be, and the level of PCI compliance in Europe is especially poor.
  • “Managing vulnerabilities and complex threats” moved several slots up the ranks to become the #2 IT security priority


Naturally, we try to keep a lot of the survey the same year to year so we get useful trending data. But there are also several areas we’re thinking about adding or delving into more deeply, such as:

  • Emerging security issues: securing the cloud, cyber-security and critical infrastructure protection, and security associated with “smart” initiatives
  • More insight into data breaches: not just the number and average cost, but the vector for data loss and the indirect impact (loss of customers, bad publicity, etc.)
  • Security policy and technologies in place or planned to address both mobility and adoption of Web 2.0

If you have anything to share, please reach out to me through this blog or directly at



Re: Poor Levels of PCI compliance

Thought you might find this article that outlines a few of the expected changes to PCI in the next revision interesting given your findings around PCI compliance

What is interesting is that the expected changes could amount to a significant watering down of the standard although there are some positive changes. Meanwhile it is interesting (not to mention redundant) that we see a growing number of states, the latest being Washington seeking ways to enforce PCI compliance through its recent ammendment of its breach notice law - HB1140.

The reach and influence of PCI

I haven't seen anything that denotes a watering down, but I'm going to ask my colleague John Kindervag - poobah of all things PCI - to weigh in on that.
Regarding Washington State's HB1140: didn't Massachusetts implement the same kind of thing allowing financial institutions to recoup the cost of reissuing credit/debit cards from the third party who was breached due to "negligence" - or perhaps it never actually passed?
With Washington and other states, as well as the framing of contractual obligations we see enterprises operating under, I think we're seeing a trend toward use of PCI as a template or outright model for necessary controls over sensitive data - be it cardholder data, other PII, or other sensitive information. While PCI offers some good guidelines, what worries me a bit is that PCI was designed not specifically to protect consumers, but to protect the credit card business.

The reach and influence of PCI

I'm not sure that the next revision of PCI will be "watered down." I have spoken to the PCI SSC and they have indicated that the focus of the revision will be clarifications. I suspect more will be revealing at the community meeting in September. Until then, there will be a ton of speculation.