I've been told that IT security is growing up -- I've even written some things that might seem to imply that it has myself. But I am not so sure.
Network vendors and security vendors are very sensitive at the moment to suggestions that they are selling products based on fear. Companies used to sell firewalls and other stuff with a pitch that could be paraphrased as "This charm will save you from mysterious bad ju-ju!" Now they are trying to be more subtle.
I believe this is not because of any moral awakening, but because the scary-hacker sale is simply not working so well as it used to. In a downturn, the snake-oil and magic charms budget is one of the first to go (or at least it darn well should be). Any technology investment now has to prove its worth in terms of return on investment (ROI).
So this is why security vendors are trying new angles and sales pitches. All are somewhat flawed still, but at least show they have some new ideas. But are they signs of a maturing market?
1. "Hackers target big companies, but viruses are indiscriminate, so no one is safe."
This is probably true, but it's just a variation of the scary-hacker threat, designed to expand the market and sell security products to smaller companies that thought they were beneath the notice of deliberate attacks from big-time hackers. It faces the downside that if you repeat it too often, you are likely to get the reply: "Well, why the hell did you make your products so insecure in the first place?" 2. "Get security-accredited, if you want to do business."
This is an indirect pitch -- the idea is to set up a badge that businesses can display if they are "secure" by some objective criterion. If it takes off, then anyone not accredited will suffer, and those who have the badge -- well, they will have brought a certain amount of security products and consultancy in the process. "This could make people upgrade their network equipment," says Trevor Dearing, enterprise security solutions manager for Nortel Networks in EMEA. The drawback is -- how good is the badge? There is a British Standard, BS7799, for security policy, under which organisations can be accredited. BS7799 has been around since the mid-1990s, but went global at the end of 2000 -- becoming an international standard, ISO EN 17799. The standard does not specify technology, but policy -- which is fine in my book since security is a policy issue far more than a technology issue. However, while there has been some talk that government departments might require their partners to be BS7799-accredited, the idea has not taken off in a big way. It's more seen as a guide to good practice. This may change in the next little while, as the British Standards Institute prepares an awareness-raising scheme. The big problem is that this kind of thing has been discredited before. During the mid 1990s, there was a fad for every white delivery van to bear an ISO 9000 "quality" kitemark. This only meant the company had jumped through some hoops -- and usually only one part of the organisation did the jumping -- for instance, the catering department. People have had enough poor quality service from quality-marked companies to devalue the idea pretty thoroughly, and exactly the same problem would apply to BS7799. 3. "Invest in security and you'll get a pay-off in reduced premiums."
This one is a fascinating idea, and one which would indicate an IT security market that was really starting to mature. Cars with good locks and alarms incur lower insurance premiums -- so, the argument goes, should IT systems. There is some evidence this is starting to happen. Leading security player ISS has a tie-up with insurance brokers Marsh so that risk managers who are insuring their company against risks relating to data loss or hacking can get lower premiums by showing they have a particular level of protection. It is not clear how successful this has been so far. However, conventional security offerings such as intrusion detection systems are starting to move towards an insurance-like payment model. 4. "Appoint a chief security officer."
This is a positive step -- but only relevant to large businesses, as small ones may not even have dedicated IT staff, let alone dedicated security staff. GartnerGroup has predicted that half of the global 2000 companies will have dedicated IT security specialists in place by next year, but the CSO is a slightly different concept -- someone whose security responsibilities include the physical protection of equipment and data, as well as the reduction of other risks. "The CSO should report directly to the CEO, not the CIO," says Dearing, "and have a dedicated budget." This makes sense, but still sets up all sorts of possibilities for conflicts -- what happens if the CIO wants something that the CSO doesn't trust? What if the CSO's requirements have an impact on the CIO's budget? The phenomenon is still fairly rare -- for instance, large vendors' security spokesmen talk about updating all the UK's CSOs by phone if something big happens. There can't be too many of them, if the network operates that way. 5. "Let's just rebrand the whole thing."
Well, why not -- we've tried everything else. "Security" has negative connotations, can never be achieved perfectly, and puts the emphasis on risks rather than benefits. Security vendors are talking about how they would like to change the name their market is referred to under -- "How about trust, or protection?" says Alastair Broom, manager of enterprise solutions at Omnetica, the network integrator formerly known as Siemens Network Solutions. "How about safety?" If you want proof that IT security is not mature, the idea that security should change its name should be enough. By and large you don't get christened when you are all grown up.