While perhaps not as newsworthy as Britney Spears' marriage or the Michael Jackson trial, have you noticed that economy appears to be humming along nicely these days? Who knows if the bold predictions for 2004 will hold up, but my recent travels have put me in contact with some information security companies that are all smiles, based on their 2003 successes and plans for 2004. I have also spent considerable time with companies who are trying to put the best possible face on some clear disappointments. What is separating the winners from the losers? I don't have all the answers, but I think an important theme is "Keep it Simple Security". 2004 might even become the Year of Simple Security.
Everyone knows that in any system, complexity is the enemy of security. So it should come as no surprise that simple is a concept that the market would willingly embrace. But what kind of simple am I talking about? In 2004, simple manifests itself in three major themes:
Streamline the security themes you already believe in. Corporate security groups are not readily adopting new security concepts that significantly change existing processes. Instead, they are investing in existing themes, with some subtle twists in the means to accomplish the ends. Antivirus is the most obvious example of this modified status quo. Organizations had invested significantly in antivirus technologies in prior years, and only increased this investment in 2003. Last year was by far the worst year on record for virus damage and no one has yet made a case that ties the antivirus investment into metrics showing tangible improvement in virus prevention and associated productivity cost savings. Symantec et al, had terrific years in selling AV software licenses, of that there can be no doubt. So, part of the conclusion end users are reaching is that antivirus software is good, it can detect and prevent a lot of viruses, particularly in taming reoccurring viruses. The philosophy among this group of "keep it simple" security professionals is that the incumbent antivirus strategy is good; we need to increase the intensity of this approach by:
Enforcing corporate antivirus standards more rigorously. Essentially, corporations are spending more on antivirus software to ensure that it is present throughout an organization, including employees' home office PCs, remote workers and any other viral point of entry that has been neglected. The theory is that the "unprotected 10 percent" is capable of causing mayhem and the push towards 100 percent virus coverage will pay dividends. They are also increasing the update frequencies for virus signatures. Finally, they are extending corporate standards and policies into the supply chain, and promoting similar virus prevention practices within business partners. This "more of the same" approach is lifting all the incumbent antivirus software providers to new heights in product sales. However, we are not seeing proof that this "more of the same standard" is effective.
Implement new types of low maintenance antivirus solutions. Although still numerically small in the overall antivirus market, we are viewing tremendous growth from vendors providing antivirus technology in new packaging that provides significantly lower cost of ownership. The two main examples of this are network-based antivirus appliances and antivirus service providers. My own view is that this is the significant trend worth watching in virus prevention and containment. The increased spending on traditional antivirus software is a knee jerk reaction to the problems we are facing and reflect the corporate security professional's lack of visibility into alternatives within the industry. The low maintenance network and services based approaches are simplifying virus mitigation and reducing its cost of ownership.
Bring order out of chaos. Corporate security professionals are swimming in security data generated by a multitude of vendors, but lack the capability to organize this information in a way that allows them to see the big picture and answer simple questions. How many attacks were attempted at our east coast offices last month, and what was the success ratio? What is the impact of a new investment in application firewalls and two factor authentication solutions? Does everyone in the company know how to recognize a virus? The ability to understand ROI and identify baselines in security operations and corporate awareness are big issues facing CSOs today. CSOs are looking for solutions that boil down security into something tangible that they can communicate easily both inside and outside of their team. Forensics, security management tools, benchmarking, assessments and education are all gaining healthy investments, particularly when they come with "eye candy" reporting systems. The organizations that are ultimately going to gain the upper hand on their security issues are those that can best measure the problem. Dan Geer did a presentation at Infosecurity 2003 called "The Future belongs to the Quants", and he hit a bullseye that made me forget about the Monoculture piece for a few minutes. Statisticians are for the most part a foreign group to the "Folk art" (Donn Parker's term), which currently is security. But some day statisticians and actuaries who can quantify information security will rule information security. Geer made the point that even if statisticians use bad data, measuring it long enough will provide good results. It looks like 2003 was the year that enough people started to realize that they need to become "quants" and this will be a burgeoning area of study and investment.
Limited bandwidth for thinking out of the box. This is the dark side of the trend towards simplicity we are seeing. Never in my years have I heard as many anecdotes about how security companies are succeeding or failing in their sales with minimal relationship to how good of a job they do during the actual sales process. Six and even seven figure deals are being decided based on the barest of due diligence on the merits of the solution itself. The cocktail napkin deals are clearly happening. On the other hand, very detailed proposals that layout return on investment and even have a great deal of support within the rank and file are being rejected without serious scrutiny. The reason is that management is less enthusiastic about introducing new security concepts to their organization and are spending time dealing with more fundamental issues, such as building out the lines of communication within the rest of the company and creating awareness. It is very positive to have a back to basics approach to a security assurance program. The problem is that many organizations are not performing their due diligence on the security solutions they are purchasing, and are often seen following the herd. Want to spend millions on a network intrusion detection system? Sure, IDS is hot, that must be good. How about putting in a system to manage our burgeoning instant messaging traffic or enforcing policies at the desktop? No, that sounds difficult and I am only going to get the business units mad at me. Chief Security Officers are doing a much better job of implementing Sarbanes-Oxley controls than they are at evaluating security technology.
Organizations today are spending the bulk of their security budgets on improving and simplifying what they have, and are not opting for exotic solutions that they aren't already familiar with. It is a good news, bad news scenario: knee-jerk reactions to invest into "won't get fired" solutions are being balanced by investments into simpler network-based technologies as well as new technologies and processes for quantifying security. Simple is good, if it is not making us simple-minded.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.