'Bolt-on' security comes under fire

Security companies must work more closely with product makers and buyers to ensure that security is built in from a product's beginning, the Technology Strategy Board has urged

Technology makers need to step up their efforts to build security protections into their products and services, the Technology Strategy Board has urged.

Vendors are not offering products where security is built in from the beginning of the lifecycle, said Andrew Tyrer, network security lead at the government quango. To remedy this, the security industry must work more closely with vendors and buyers of technology, he said.

"Companies out there are offering solutions to point problems, but they are not looking to embed security in products and services," said Tyrer at the Infosecurity Europe 2010 conference on Tuesday. "The information security market needs to work more closely with businesses in general, so organisations can [obtain] solutions from the market."

Tyrer pointed out that security suites brought in after the fact tend to be specialist and expensive. Another drawback of adding protection only after new technology is installed is that information security providers tend to look at short-term, rather than long-term, issues when coming up with their products, he added.

UK businesses have seen a rise in data breaches and other security incidents in the past two years, according to a survey by PriceWaterhouseCoopers (PwC). The survey found that businesses are implementing new technologies without fully thinking through the security ramifications.

Saying that the technology industry is suffering from "bolt-on security syndrome", Jericho Forum board member Adrian Seccombe put the blame on vendors of products and services. He added that security around new technologies such as virtualisation is still sold as an expensive product rather than as a commodity.

"This is part of the dilemma of commoditisation," said Seccombe. "With new technologies and developments, vendors don't offer commodity services, but want to get their money back through high-value services."

However, Seccombe said he believes that it will not be long before providers start to offer lower-priced, more secure solutions as new technologies like cloud computing become more mature.

Security company Webroot said the cost of cloud security products and cloud services in general will decrease as more businesses begin to use them.

"Security software needs to be made available as a service, because suddenly you get economies of scale," said Webroot chief technology officer Gerhard Eschelbeck. "Cloud services are superior from a cost and quality perspective."