Managing IT risk in unchartered waters of "Security 3.0"

Firms need to think about reducing spending, not throwing money at the problem, advises analyst Gartner

Gartner’s IT Security Summit in London this week focused on the dangers to corporate systems posed by emerging “security 3.0-level” attacks that typically exploit vulnerabilities in social networking applications.

The analyst firm also warned that by the end of 2007, 75 per cent of enterprises will be infected with undetected malware that may cause hidden vulnerabilities in enterprise systems.

Gartner advised firms to use standard tools to deal with common “security 2.0” problems, such as worms and viruses, in order to free up security budgets and personnel to tackle the latest threats. According to the firm, chief information officers have typically increased security spending by 9.3 per cent over 2006 as they attempt to bolster their IT defences.

However, Gartner research suggests that throwing money a security is not working. At the summit, the firm said that there is no correlation between security spending and the security level of a system. The firm added that progress in security should see a reduction in security spending, not increase it.

Once money is spent on securing a system against threats such as viruses, it is unlikely a huge amount will have to be spent again because these threats are not progressing, Gartner analyst John Pescatore said. This will free up money that can be focused on techniques to detect future, hard-to-perceive threats, he added.

Richard Hunter, another Gartner analyst, said the most important IT spending is on the foundation of systems, not administration. Many of the current problems are caused by poor technology and “management inattention”, he argued.

“Although fixing the foundation of a large infrastructure can demand large upfront costs, it will be cheaper in the long term and free up staff and money to deal with the new threats,” Hunter added.

Firms have a challenge ahead of them, according to Joanna Rutkowska, chief executive of security firm Invisible Things. She said organisations are in a constant race against the “bad guys” and that this means resources always have to be focused on the latest threats.

Pescatore agreed, saying “security 3.0” required IT staff to stay one step ahead of criminals and protect systems against targeted attacks by determined individuals.
Pescatore cited attacks on blogging software through back doors and the defacing of US senator John McCain’s MySpace page as examples of the kind of targeted incidents firms must defend against.