Myth 1 — ‘Spend on more stuff; continue to spend on everything else’
Gartner predicts that by 2006, information security spending will drop from an average of six to nine percent of IT budgets to an average of four to five percent as enterprises improve security management and efficiency. It is the improvement in management that holds the key to a more secure enterprise. Wheatman therefore advised information security managers to develop realistic company specific cost/risk models and provide a clear roadmap of where their efforts are leading. Mr Wheatman stressed that to achieve this, funding must shift over the next five years from traditional solution purchasing to a better-defined risk management process involving investment in three objectives. Gartner identifies these as 1. keeping the bad guys out 2. letting the good guys in and 3. “keeping the wheels on” (that is maintaining operations).
Myth 2 — ‘Security is a journey, not a destination’
The key question to answer is “Are we more secure now than we were last year?” Wheatman advised information security managers to develop realistic company specific cost/risk models and provide a clear roadmap of where their efforts are leading. Warnings without realistic plans will not achieve management buy-in.
Myth 3 — ‘Software has to have flaws’
Gartner estimates that even if only 50 percent of software vulnerabilities were removed prior to the software being put into production, enterprise configuration management and incident response costs would be reduced by 75 percent each Gartner estimates that there are only 500 software engineers worldwide with the skill and knowledge necessary to scan code for security problems efficiently and effectively. Wheatman urged enterprises to demand proof of safer software when procuring software, while companies that develop software internally should review the code with security in mind.
Myth 4 — ‘Next Year Is the Year of…’
Every year enterprises are urged to invest in the latest solutions to safeguard their business, and yet, each new wave of technology disrupts existing security measures and introduces new vulnerabilities. In the case of information security, failing to deploy defensive solutions at the right time can leave the organisation vulnerable. Wheatman warned that investing in security technology too early can result in a complete waste of enterprise security funds and he advised organizations to focus on their specific business needs and complete a threat assessment to prioritise security requirements.
Myth 5 — ‘Regulations Matter’
A variety of regulations and new laws, such as the Health Insurance Portability and Accountability Act, European Union Privacy Directive or the Sarbanes-Oxley Act, have an element of information security implied. Regulations shouldn’t really matter.
While important not to rush into acquiring new products and services eagerly promoted by security vendors as ‘HIPAA- or SOX-compliant’, Mr. Wheatman said that regulations do attract management attention and can consequently make budget processes somewhat easier.
Myth 6 — ‘Business units that care about security walk the security walk and talk the security talk’
It is not enough for security managers to understand the technologies, the specific threat metrics or the buzzwords of the solutions available to address risk. To be effective, security managers need to place themselves in the role of business managers and be able to translate technically oriented information security for the enterprise into business terms.
The Way Forward
Only by cutting through the hype and looking beyond the myths that abound, can security managers take their enterprises forward. Gartner strongly counsels against investing in an over-hyped technology too early. Using it’s Information security hype cycle, Gartner has identified the security technologies it believes enterprises will need over the next five years as well as those that enterprises probably don’t need before 2009.
Although some enterprises will benefit from technologies in the ‘don’t need’ column, for example, digital signatures, they are exceptions. For the most part, the list of ‘don’t needs’ can be avoided. Vulnerability management not only implies advancement from passive vulnerability monitoring to near-continuous monitoring, but also integration with workflow and rule engines to effectively correct vulnerable states without creating system conflicts.
Gartner predicts that with security spending intentions high, and with increasing threats and regulatory requirements, the next 12 to 18 months promise opportunities for security professionals to leverage executive attention and to demonstrate value. However, failure to reduce highly visible threats, such as spam and increasingly creative viruses and worms, or overspending to meet legislative initiatives, could lead to questions about the skills and relevance of in-house security professionals, and more inclination to use external consultants and outsourcing solutions.
http://www4.gartner.com/5_about/press_releases/asset_106327_11.jsp