CyberSecurity Institute

Myth 1 — ‘Spend on more stuff; continue to spend on everything else’
Gartner predicts that by 2006, information security spending will drop from an average of six to nine percent of IT budgets to an average of four to five percent as enterprises improve security management and efficiency. It is the improvement in management that holds the key to a more secure enterprise. Wheatman therefore advised information security managers to develop realistic company specific cost/risk models and provide a clear roadmap of where their efforts are leading. Mr Wheatman stressed that to achieve this, funding must shift over the next five years from traditional solution purchasing to a better-defined risk management process involving investment in three objectives. Gartner identifies these as 1. keeping the bad guys out 2. letting the good guys in and 3. “keeping the wheels on” (that is maintaining operations).

Myth 2 — ‘Security is a journey, not a destination’
The key question to answer is “Are we more secure now than we were last year?” Wheatman advised information security managers to develop realistic company specific cost/risk models and provide a clear roadmap of where their efforts are leading. Warnings without realistic plans will not achieve management buy-in.

Myth 3 — ‘Software has to have flaws’
Gartner estimates that even if only 50 percent of software vulnerabilities were removed prior to the software being put into production, enterprise configuration management and incident response costs would be reduced by 75 percent each Gartner estimates that there are only 500 software engineers worldwide with the skill and knowledge necessary to scan code for security problems efficiently and effectively. Wheatman urged enterprises to demand proof of safer software when procuring software, while companies that develop software internally should review the code with security in mind.

Myth 4 — ‘Next Year Is the Year of…’
Every year enterprises are urged to invest in the latest solutions to safeguard their business, and yet, each new wave of technology disrupts existing security measures and introduces new vulnerabilities. In the case of information security, failing to deploy defensive solutions at the right time can leave the organisation vulnerable. Wheatman warned that investing in security technology too early can result in a complete waste of enterprise security funds and he advised organizations to focus on their specific business needs and complete a threat assessment to prioritise security requirements.

Myth 5 — ‘Regulations Matter’
A variety of regulations and new laws, such as the Health Insurance Portability and Accountability Act, European Union Privacy Directive or the Sarbanes-Oxley Act, have an element of information security implied. Regulations shouldn’t really matter.

While important not to rush into acquiring new products and services eagerly promoted by security vendors as ‘HIPAA- or SOX-compliant’, Mr. Wheatman said that regulations do attract management attention and can consequently make budget processes somewhat easier.

Myth 6 — ‘Business units that care about security walk the security walk and talk the security talk’
It is not enough for security managers to understand the technologies, the specific threat metrics or the buzzwords of the solutions available to address risk. To be effective, security managers need to place themselves in the role of business managers and be able to translate technically oriented information security for the enterprise into business terms.

The Way Forward
Only by cutting through the hype and looking beyond the myths that abound, can security managers take their enterprises forward. Gartner strongly counsels against investing in an over-hyped technology too early. Using it’s Information security hype cycle, Gartner has identified the security technologies it believes enterprises will need over the next five years as well as those that enterprises probably don’t need before 2009.

Although some enterprises will benefit from technologies in the ‘don’t need’ column, for example, digital signatures, they are exceptions. For the most part, the list of ‘don’t needs’ can be avoided. Vulnerability management not only implies advancement from passive vulnerability monitoring to near-continuous monitoring, but also integration with workflow and rule engines to effectively correct vulnerable states without creating system conflicts.

Gartner predicts that with security spending intentions high, and with increasing threats and regulatory requirements, the next 12 to 18 months promise opportunities for security professionals to leverage executive attention and to demonstrate value. However, failure to reduce highly visible threats, such as spam and increasingly creative viruses and worms, or overspending to meet legislative initiatives, could lead to questions about the skills and relevance of in-house security professionals, and more inclination to use external consultants and outsourcing solutions.

http://www4.gartner.com/5_about/press_releases/asset_106327_11.jsp

Motivated increasingly by money, the hackers are amassing legions of unwitting bot computers for distributed denial-of-service (DDoS) attacks.

They are also exploiting Web applications and mobile devices to steal identities through e-commerce scams, including phishing.

These are some of the worrisome conclusions drawn by the Cupertino, Calif.-based security vendor Symantec Corp. in its semi-annual Internet Security Threat Report released today.

“We’re no longer talking strictly about the male teenager with the low moral compass, or the hactivist, who defaces sites or uses malicious code or worms against those on one side in a political conflict,” said Vincent Weafer, senior director of Symantec Security Response.

The daily volume of Internet-based worm attacks decreased in the first half of the year, according to Symantec.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1007181,00.html

The list of security items a company probably doesn’t need within the next five years includes personal digital signatures, quantum key exchanges, passive intrusion detection, biometrics, tempest shielding (to protect some devices from emanating decipherable data), default passwords, or enterprise digital rights management outside of workgroups, according to Victor Wheatman, vice president and research area director at Gartner, based in Stamford, Conn.

“You have to be aware of what the over-hyped technologies are. You don’t need personal digital signatures, because in most cases, an electronic signature will be enough and in terms of biometrics, you won’t need that unless your company is using airplane pilots or has high-level executives that won’t or can’t remember passwords,” Wheatman said.

Wheatman also singled out “500-page security policies” and security awareness posters as things an IT manager would be better off not spending company resources on. “You do need security policies, but not ones so large that no one reads them.”

It is also important to have a business continuity plan. “We got a lot of calls when the hurricanes came through Florida, but for the most part, that was a little too late.”

IT managers need to be much more proactive about implementing systems that work correctly in the first place, rather than spending the time and money on fixing problems after the fact, Wheatman said. Software need not have flaws, Wheatman stressed, and IT managers need to challenge their vendors to make safer software, otherwise the security costs within the industry will simply continue to grow.

“We’ve been in the biggest beta test in history and this test is still going on: It’s called Windows,” Wheatman said. “Longhorn will fix some of the problems (within Windows), but it isn’t a full solution and flaws will remain. Our studies have found that it is three to five times more expensive to remove software defects after the fact. Why not get it right to begin with?” A company should demand proof that a software product it buys is safe and make sure that the vendor has reviewed the code of the software with security in mind, he said.

By 2006, Gartner is projecting that when it comes to software and hardware, a company will be spending 4% to 5% of its IT budget on security. That number could jump as high as 6% to 9% when staff and outsourcing services are factored in. But the IT departments that spend most efficiently on security, even if the expenditure is between 3% and 4% of the IT budget, could actually be the most secure, Wheatman said.

Martin Smith, the managing director for the security consultation company, The Security Company (International) Ltd. said in a separate speech that Wheatman may have been too quick to dismiss some basic items such as security awareness posters and security policies, because users need a clear framework that some of those items can provide. But he did agree with Wheatman that IT managers need to establish a roadmap for keeping IT systems secure. “In IT security, do the stuff that’s quick and easy: passwords, training and awareness in the areas that matter. We have an appalling absence of basic management metrics for our trade.”