Put your trust in people
Summary: Stuart Okin: Security and trustworthy computing are as much about skills and training as technology, says Microsoft UK's chief security officer
According to research company IDC, security hardware and software expenditure in Europe will reach $6.2bn in 2005, with e-business a key driver. This is as it should be. After all, if e-business and Web services built on open standards are to fulfil their potential, they must be based on trustworthy computing solutions that inspire confidence in users.
Web services in particular are built on openness, which itself is built on trust. This does not imply blind faith and nor does the development of Web services built on open standards. Trust is built through assessment, auditing and accreditation. All these things provide users with independent endorsement of a service and 'proof' of its trustworthiness.
People and skills
So it is great that businesses are focused on securing their systems, and putting in place the right technology is certainly a step in the right direction. But it is only part of the solution. In the end, trust is not something that can be bought and security is an issue that goes beyond technology. To a large extent, security is about people and they way they use technology. It is about ensuring that developers build security into every feature, administrators set up and use systems with security as a priority and users understand the security implications of their actions. It comes down to skills and experience. Once businesses have invested in technology, whether it is specialist security technology or not, they must invest in skills and training. Everyone from developers and IT staff to business users must be equipped with the skills they need in order to approach technology solutions with security front of mind, and this is all about forward planning. It's all very well having the best security processes in place, but without the right training loopholes will appear. For example, implementing proper security precautions such as well thought out passwords and usernames is important, but if users leave their machines unlocked while at lunch, well that's not very secure. Think ahead
It is very rare for a business to develop any kind of technology solution without going through a detailed planning and testing process. This is especially true for e-business and Web services built on open standards solutions. However, if businesses are to build trustworthy solutions they must make security and skills a central element of solutions planning, in terms of both development and management. There is a good reason for this. There simply are not enough skilled IT professionals to go around, and the problem is particularly acute when it comes to security skills. IDC says that the networking skills shortage will leave European businesses 500,000 workers short by 2004. Meanwhile, end user organisations are suffering from a 50-60 percent shortage of security skills.
So it is great that businesses are focused on securing their systems, and putting in place the right technology is certainly a step in the right direction. But it is only part of the solution. In the end, trust is not something that can be bought and security is an issue that goes beyond technology. To a large extent, security is about people and they way they use technology. It is about ensuring that developers build security into every feature, administrators set up and use systems with security as a priority and users understand the security implications of their actions. It comes down to skills and experience. Once businesses have invested in technology, whether it is specialist security technology or not, they must invest in skills and training. Everyone from developers and IT staff to business users must be equipped with the skills they need in order to approach technology solutions with security front of mind, and this is all about forward planning. It's all very well having the best security processes in place, but without the right training loopholes will appear. For example, implementing proper security precautions such as well thought out passwords and usernames is important, but if users leave their machines unlocked while at lunch, well that's not very secure. Think ahead
It is very rare for a business to develop any kind of technology solution without going through a detailed planning and testing process. This is especially true for e-business and Web services built on open standards solutions. However, if businesses are to build trustworthy solutions they must make security and skills a central element of solutions planning, in terms of both development and management. There is a good reason for this. There simply are not enough skilled IT professionals to go around, and the problem is particularly acute when it comes to security skills. IDC says that the networking skills shortage will leave European businesses 500,000 workers short by 2004. Meanwhile, end user organisations are suffering from a 50-60 percent shortage of security skills.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback