Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, September 20, 2004

Gartner analysts point out the security you don’t need

The plethora of security technologies on the market are enough to overwhelm even the most knowledgeable IT managers, but in sorting through all of the options, it may be helpful to look at what is not needed, according to Gartner research detailed recently in London at its IT Security Summit conference.

The list of security items a company probably doesn’t need within the next five years includes personal digital signatures, quantum key exchanges, passive intrusion detection, biometrics, tempest shielding (to protect some devices from emanating decipherable data), default passwords, or enterprise digital rights management outside of workgroups, according to Victor Wheatman, vice president and research area director at Gartner, based in Stamford, Conn.

“You have to be aware of what the over-hyped technologies are.  You don’t need personal digital signatures, because in most cases, an electronic signature will be enough and in terms of biometrics, you won’t need that unless your company is using airplane pilots or has high-level executives that won’t or can’t remember passwords,” Wheatman said.

Wheatman also singled out “500-page security policies” and security awareness posters as things an IT manager would be better off not spending company resources on.  “You do need security policies, but not ones so large that no one reads them.”

It is also important to have a business continuity plan.  “We got a lot of calls when the hurricanes came through Florida, but for the most part, that was a little too late.”

IT managers need to be much more proactive about implementing systems that work correctly in the first place, rather than spending the time and money on fixing problems after the fact, Wheatman said.  Software need not have flaws, Wheatman stressed, and IT managers need to challenge their vendors to make safer software, otherwise the security costs within the industry will simply continue to grow.

“We’ve been in the biggest beta test in history and this test is still going on: It’s called Windows,” Wheatman said.  “Longhorn will fix some of the problems (within Windows), but it isn’t a full solution and flaws will remain.  Our studies have found that it is three to five times more expensive to remove software defects after the fact.  Why not get it right to begin with?”  A company should demand proof that a software product it buys is safe and make sure that the vendor has reviewed the code of the software with security in mind, he said.

By 2006, Gartner is projecting that when it comes to software and hardware, a company will be spending 4% to 5% of its IT budget on security.  That number could jump as high as 6% to 9% when staff and outsourcing services are factored in.  But the IT departments that spend most efficiently on security, even if the expenditure is between 3% and 4% of the IT budget, could actually be the most secure, Wheatman said.

Martin Smith, the managing director for the security consultation company, The Security Company (International) Ltd. said in a separate speech that Wheatman may have been too quick to dismiss some basic items such as security awareness posters and security policies, because users need a clear framework that some of those items can provide.  But he did agree with Wheatman that IT managers need to establish a roadmap for keeping IT systems secure.  “In IT security, do the stuff that’s quick and easy: passwords, training and awareness in the areas that matter.  We have an appalling absence of basic management metrics for our trade.”

 

Posted on 09/20
TrendsPermalink