When IT security becomes a gothic horror story

Editor's Blog: Quoth the hacker 'Nevermore!'

Editor's Blog: Quoth the hacker 'Nevermore!'

The RSA Conference in San Francisco, the big annual get together for the great and the good of corporate IT security, is just getting under way - and I'll be reporting from it all this week.

One of the nice quirks of the event is that each year it chooses an historical theme around IT security - this year the focus is on Edgar Allan Poe. Poe was fascinated by cryptography, often concealing hidden messages in his works, and even once challenged his readers to submit their codes to him - which he then claimed to crack.

It's an interesting choice of mascot for this year's event. Beyond the link with cryptography, Poe is, of course, best known for his stories of threatening Gothic gloom and madness. I'm not entirely sure that's the association the organisers had it mind, but I'm having trouble shaking it off.

Can we recast Poe's horror classic 'The Pit and the Pendulum' as the dilemma faced by CEOs and CIOs - whether to throw more of their budget into the pit of IT security spending or risk being sliced to pieces by the pendulum of customer anger if their infrastructure is breached?

As one of Poe's recurring themes was premature burial, should we be on the lookout for the security threats that we thought we had defeated, that may even now be about to burst from their coffins and cause more havoc (like Conficker, maybe)?

And how to recast the grim 'Nevermore' as uttered by the gloomy bird in The Raven? Perhaps as a dark warning that we'll never win the battle against hackers and virus writers?

Frankly I'm not even going to attempt The Fall of the House of Usher. Figure out an IT security moral from that one yourselves, if you can!

In any case, despite the bleak time suggested by the choice of Poe, there are reasons to be, if not exactly cheerful, then relatively positive about the IT security outlook.

Security is reasonably well funded at the moment - from silicon.com's own exclusive research, unveiled last month, we know that security is a top area of focus for CIOs during 2009. That's in contrast to 2008 when IT governance took the top spot. And a series of data breaches have made CEOs wake up to the need to invest in this area.

Technologies mentioned in the research as being of particular interest include identity and access management, email security, and monitoring and filtering, with biometrics and data encryption.

Still, that doesn't mean security experts have hit the jackpot of unlimited budget. The RSA Conference unveiled a programme to offer passes to the San Francisco event for 25 unemployed security pros, showing that the recession is hitting all classes of techies.

And just because times are tough that doesn't mean the bad guys are going to go easy on businesses - quite the opposite. Tough economic times are often linked to an increase in crime and there's no reason why the electronic world would be immune to that.

A poll of anti-fraud chiefs published by RSA Conference in the run up to the event found that more than half thought fraud attacks have increased because of the global economic problems - and one in three said their organisation had been hit with a data breach in the last 12 months.

It's not just the professionals - consumers also think the economic crisis makes them more at risk of ID theft or fraud, according to separate research conducted by Unisys. This means firms have to work that bit harder to make sure their customers are willing to do business with them electronically. There's still plenty of work to do.

On top of that, now that firms are seriously looking at cloud computing models this will inevitably become an area where security will have to be addressed. As well as figuring out how to defend what organisations already have, there's also a need to work out how to protect new applications. Plus the IT security industry has to justify the money being spent on it and not just rely on scare tactics.

Still, despite all of this, it's worth remembering that as well as all the gloom, Poe is also known for writing the world's first detective story, with his C Auguste Dupin solving the apparently unsolvable case of the murders on the Rue Morgue.

Perhaps security professionals and the industry had better adopt him as their role model rather than some of Poe's other heroes, who had a habit of coming to less than pleasant ends.