The changing face of protection - why all-in-one security systems are preferred

Generally, the market for security technology is fairly mature. As a result, many companies are starting to shift away from a focus on traditional products towards a concentration on people and processes as part of a wider approach to risk management.

Rather than individual best-of-breed products, organisations are beginning to favour all-in-one security systems that include applications such as anti-virus, anti-spam and anti-spyware.

Jay Heiser, research vice president at analyst Gartner, says such an approach is happening at the desktop, email, gateway and network perimeter level, and is a trend that is set to continue.

‘A couple of surveys we carried out last year indicated that just over 50 per cent of buyers are now looking for best-of-breed compared with 80 per cent two years ago,’ he says. ‘That is the result of several factors – a declining interest in the specifics of technology and better all-in-one systems becoming available.’

Mike Gillespie, principal consultant at security consultancy Advent Information Management, says such consolidation is closely linked to organisations trying to find ways to cut management and administration costs.

‘More people are bedding in with the technology that they already have and are just trying to use it better,’ he says. ‘It’s a while since I have seen a new technology as such. Most vendors are only coming out with me-too technologies rather than anything groundbreaking.’

An exception to this could be biometrics, which, while not new, is still in its infancy. In fact, Gillespie believes biometrics is likely to be the next major technology to take off, because of its convenience and its ease-of-use.

But because prices still need to fall and systems still need to improve in terms of reliability, widespread corporate use of applications such as systems access is not expected before the end of the decade.

Another development related to consolidation is the fact that anyone in the organisation can now be responsible for security, says Laura Koetzle, a research director at Forrester Research.

‘If you look back five years, security was essentially a black art with high priests,’ she says. ‘But it has now been de-mystified to a great extent, and operations such as monitoring infrastructure or installing and managing a firewall have been sufficiently automated that they are simple enough for network and operations staff to do.’

Such automation is partly down to the fact that more and more infrastructure suppliers, such as Cisco and Microsoft, are adding or embedding security into their environments, while security vendors are starting to diversify into areas that were traditionally seen as infrastructure.

Examples include Symantec’s purchase of data backup and storage management vendor Veritas, and moves by email filtering specialists MessageLabs and Postini into email archiving, which was previously considered a storage discipline.

Gartner’s Heiser says this trend means that in the next three to five years security teams will look quite different.

‘Technology issues will be handled more by operational IT teams, although people in the security team will still need to understand technology,’ he says. ‘But they will also require broader skills and a broader knowledge of the risk management challenge.’

Tactical security staff will continue to work in the IT department and all operational IT personnel will be required to have some understanding of security.

Yet dedicated security heads, who are already growing in number in medium-sized to large organisations, will increasingly report not to the chief information officer (CIO), but to a non-IT executive, such as a compliance officer or even the chief financial officer.

This is already the case in about 20 per cent of organisations, and in such instances, heads of security and CIO roles have parallel status.

‘It is an arrangement that provides an important separation between risk management, which is operations, and risk control and auditing, which is security’, says Heiser.

‘We will continue to see a lot of experimentation as we try to understand what constitutes best practice. Only a few people at the moment use the title of chief security officer, but we are starting to see a lot of people fulfilling the role.’

The key tasks of such chief security officers are to establish policies and procedures that will be embedded into the organisational culture, to ensure operational staff manage risk on an ongoing basis.

In some organisations, Gillespie is also seeing small discrete teams being created to define strategy that relates to information security, risk, compliance and business continuity management.

This strategy is then being implemented by the IT department.

Organisations most likely to approach the risk management ideal are those in heavily regulated industries with sophisticated IT infrastructures.

Financial services, petrochemicals and pharmaceuticals companies commonly have the most established initiatives in place to handle risk coherently on an enterprise-wide basis.

Gartner’s Heiser says just five per cent of organisations have a truly mature risk management programme in place, and up to 30 per cent know nothing about the concept.

‘But the influence of corporate governance regulations is forcing risk management maturity on large organisations and government agencies. So we expect to see significant improvements in the next few years,’ he says.

And the move towards risk management as an approach is already starting to have an impact on security expenditure. Increasing amounts of money are now being directed towards staff recruitment and training, developing internal security policies and implementing standards such as BS7799.

This UK-based information security management standard has also just been r atified internationally as ISO27001.

Advent’s Gillespie says BS7799 has been around since the mid-1990s and has gone through a number of rewrites, but in its current format as an ISO standard, it is probably at its most usable and useful.

‘We are certainly seeing an increase in the number of organisations working towards compliance and certification driven by risk management and compliance concerns,’ he says.

Another British standard, BS25999, which focuses on business continuity, is also expected to have a marked impact after publication later this year.

It is likely to be of particular interest to organisations such as the emergency services, law enforcement and utilities, which are covered under the Civil Contingencies Act 2004, because a significant element of the legislation relates to crisis management, business continuity and emergency planning.

But the adoption of the standard is also anticipated to have a knock-on effect elsewhere, as organisations demand that their partners and suppliers comply with its strictures as a pre-requisite of doing business with them.

Gillespie says the focus is shifting internally to look at how companies are run, because it is becoming clear that technology on its own does not give you a secure organisation.

‘You can have all the technology in the world, but if workers misuse your systems, you have an inherent weakness,’ he says. ‘Organisations are finally starting to see security is not an IT problem, but a business one.’

What the experts say

Security budgets are going into two main areas. The first is the development of specific strategic roles, such as dedicated security and risk managers, and on staff development and security awareness training across the organisation. The second is on adopting standards, such as BS7799, to improve the consistency of the way that security management is done.

Mike Gillespie, principal consultant, Advent Information Management

There is a transformation starting in security, from people being policemen telling others what they’re not allowed to do, to helping the business decide what risk it is willing or unwilling to take. This means that they’re now focusing their efforts not against threats from inside or outside the organisation or on security infrastructure, but on securing the data that matters and that’s much harder.

Laura Koetzle, research director, Forrester Research

You need to make business continuity management part of the culture, and that is not easy. It requires the involvement of senior management, but if you identify people with no interest, there’s no point rubbing their faces in it to try and make them get involved. There will always be others willing to get on board, so you’re better off going for someone who is enthusiastic about it.

Alison Hutton, head of accounting and financial services, Baillie Gifford

IT security does not stand alone in IT, nor in the overall security strategy of the business. It needs to be considered alongside physical security. For example, tying security policy to physical location by linking swipe cards with IT security can ensure that an employee is able to carry out certain tasks only when in a safe location.

Bob Tarzey, service director, Quocirca

It depends on your definition of risk, but we were more inclined to jump into the water and solve a problem rather than sit there and watch others drown. Introducing any new technology is a risk, but another risk was that we did nothing to help our members and that, to us, would be failure.

Pat Smith, director of the Buywayz project, Irish Farmers’ Association

Further reading:

Case study: how Baillie Gifford uses business continuity management

Businesses cool on biometrics

Case study: Irish Farmers’ Association - using voice verification applications