In the report, titled 'Twelve Recommendations For Your 2011 Security Strategy,' lead author Khalid Kark notes that, although IT security professionals tend to own around 10% of the overall IT budget, many are still reporting challenges with budgets, staffing, and visibility within the broader organisation.
A recent Forrester survey, he says, indicated that 27% of European and 37% of North American organisations view "other priorities in the organisation taking precedence over security initiatives" as a major challenge.
However, adds Kark, despite the fact that the top three challenges for security leaders all relate to business orientation and alignment, the focus areas for the next 12 months will not be on efficiency, better reporting or business-IT alignment.
Instead, he says, most security leaders plan to focus on reactive areas such as managing data security and vulnerabilities and threats.
As far as improving analytics for metrics and reporting goes, Forrester's report says that this means devising a strategy for emerging technologies, such as cloud and mobile, shifting away from detective technologies to preventive controls, and demonstrating the value of security with business and financial metrics.
As 2010 progresses into 2011, Kark says that we are seeing a rapidly evolving threat landscape. Not only are security threats more sophisticated, he observes, they are also targeted and stealthy.
"For example, a large global bank we spoke with discovers three to four attacks a week specifically targeting the bank. Similarly, a large manufacturing company we spoke with discovered that seven of its machines were infected with malware intended to steal its intellectual property", he said.
According to Kark, sometimes security professionals only discover they have had a security breach after the initial break-in, mainly because the hackers take special precautions to avoid detection and stay under the radar.
The main conclusions of the report are that, as IT security professionals prioritise their initiatives for 2011, they should avoid the temptation to focus on day-to-day tactical activities and operations.
Forrester recommends that professionals should focus on some structural issues that will ultimately help build a great security organisation and programmes.
"Year after year, [IT] security continues to struggle with its importance, staffing, and budgets because we don't address the core issues – our security objectives do not align with business objectives", says the report.
"Security leaders also continue to use operational measures (not business and financial metrics) in a futile attempt to communicate value and the organisation's risk posture", it adds.
Against this backdrop, Forrester recommends that professionals should focus on the initiatives that can give you more visibility into the IT environment so that you can analyse and develop preventive measures for protecting your organisation.