Back to Air Transport IT Review - Issue 1, April 2009

IT security - pros, cons and compliance

Economic pressures and perennial threats to the IT network and infrastructure will govern the success of IT security strategy in the air transport industry this year, according to the latest SITA Global IT Security Survey.

Airlines and air freight organizations have significantly changed the way they deal with security management in relation to previous years, says the latest SITA Global IT Security Survey. Best practice measures have seen a major improvement, with 14 percent more airlines in 2009, compared to last year, believing this to be the case.

The economic downturn is having only a nominal influence on security budgets compared to last year. However, the number of businesses seeing cost cutting as a primary driver for outsourcing has increased dramatically from 36 percent in the 2008 survey to 58 percent in 2009. Despite budget stability, cost efficiency is clearly playing a major role in decision making.

Compliance priorities

Compliance formed a major area of focus as an increasing part of the IT and security professional's remit. Overall, 42 percent of respondents stated that they had input into IT compliance for their respective organizations.

The majority of those respondents place a high level of importance on the challenges that lay ahead in meeting compliance standards over coming years. In particular, industry and customer information compliance are considered important to the business.

Resources, skills and budget also play a fundamental role in the bottlenecks that appear in dealing with compliance initiatives.

With IT security and compliance increasingly interdependent, there is clearly a call to action to ensure that compliance initiatives are not compromised by skills and resource shortages. As key issues such as data protection and credit / debit card transaction assurance become more open to compliance regulation, there is a risk that increased best practice in security strategy is undermined by compliance shortfalls.

Upgrade status

While real-time updates are the most desirable option to keep both data and security perimeters up-to-date, many instances exist where this functionality is absent. Even in areas where real-time upgrades are prevalent, such as virus upgrades and patches, only 51 percent of respondents manage to achieve real-time status.

Meanwhile, IT security budgets appear somewhat insulated from budget review, given the pressure of highly competitive markets, fluctuating fuel costs and the wider downturn.

Though there is a slight increase in static budgets, with 34 percent seeing budgets fixed in 2009 against 30 percent in the previous year's survey, the picture year-on-year is consistent. However, fixed budgets year-on-year will make it more challenging for companies to introduce new security measures or innovations.

In summary

There are encouraging signs of improvement in how security threats are evaluated and measured. But some holes appear in the level of automation surrounding simple areas of IT security such as virus upgrades and mobile device management: 49 percent of businesses do not have real-time virus upgrades in place on the network.

Overall, there are considerable improvements, but still many challenges to be faced in creating a more secure IT environment.

The SITA Global IT Security Survey 2009 interviewed 183 director-level technology professionals across the Americas, Northern Europe, Southern Europe, Middle East and Asia Pacific. Interviews were conducted during December 2008 by Loudhouse Research.

Recommendations

SITA's 2009 Global IT Security Survey cites five key recommendations:

Improve security threat evaluation: Many businesses (66 percent) still struggle with security management information. Prioritize this issue in 2009.
Ensure best practice delivers: Security operations must deliver within these frameworks - practical shortfalls in security strategy still seem to be evident.
Monitor software 'sell-by' dates: Provide constant scrutiny of suitable upgrade agreements and implementations, along with a vigilant approach to virus and security upgrade scheduling.
Establish compliance connections: Integrate compliance and security functions to achieve key transactional and security standards as part of 2009 strategic objectives.
Maximize security spending value: Since 2010 budgets remain uncertain, 2009 may be a window for completion or acceleration of key security implementations for specific businesses and the industry as a whole.