Staffing, cloud computing and IT compliance are top challenges facing enterprise security this year, according to the 2010 State of Enterprise Security report recently released by Cupertino, Calif.-based Symantec Corp. The study, based on a survey of 2,100 enterprise CIOs, CISOs and IT managers from 27 countries, finds enterprise security “becoming more difficult due to a number of factors” and highlights three specific areas of concern.

One, enterprise security is understaffed, with the most affected areas being network security (44 per cent), endpoint security (44 per cent) and messaging security (39 per cent), the report stated. Second, initiatives that IT rated as most problematic from a security standpoint include infrastructure-as-as-a-service, platform-as-a-service, server virtualization, endpoint virtualization and software-as-a-service. Third, the typical enterprise is exploring 19 separate IT standards and frameworks and are currently employing eight of them. The top standards include ISO, HIPAA, Sarbanes-Oxley, CIS, PCI and ITIL.

Every enterprise surveyed experienced cyber losses in 2009, with the top three losses being theft of intellectual property, of customer credit card information (or other financial information) and of customer personally identifiable information. These losses, the survey found, translated to monetary costs 92 per cent of the time. The top three costs were productivity, revenue and loss of customer trust.

Enterprises are also forecasting upcoming changes to security, with 94 per cent of respondents anticipating changes to security in 2010 and 48 per cent “expecting major changes” to take place, the survey found. These major changes include increased utilization of virtualization within the enterprise and moving portions of enterprise infrastructure to some type of cloud-based service, according to Matthew Steele, director of strategic technology at Symantec. “We are also seeing a lot updating of existing security technologies and … big drives on the compliance side,” he said.

To tackle security challenges related to virtualization, Steele recommends enterprises architect their security based on the information they want to protect and provide a similar security structure for the data wherever it is located. “I’m not saying that is easy to do, but if you focus on the target of the attack and understand you want to protect the data and understand where that data lives, you can start to at least have a model where you can adapt the security profile of the infrastructure as that data moves,” he said.