Never has enterprise security figured so prominently, or taken its place so swiftly, in the psyche of today's IT leader.
How can it not be top of mind? In the words of Meta Group Australia analyst Mark Bouchard, "Security equals survival." In 2001, the number of security incidents reported doubled compared to the previous year to more than 40,000. Malicious worms rampaged through corporate networks and threatened to strangle e-commerce, and then, on September 11, an horrific act of terrorism tore down preconceived notions about enterprise security.
This year, the book on enterprise security gets rewritten.
The good news is that security is finally reaching critical mass in the minds of the corporate executives who authorise IT budgets. Companies may be cutting back everywhere else, but they're maintaining their spending on safety.
The bad news is that security isn't a one-time fix. It's an ongoing process, an effort and outlay that will continually divert IT from the jobs it would prefer to pursue, such as keeping the company's systems going, creating e-commerce applications and simplifying the supply chain. As in years past, 2001 was initially about perimeter defence, keeping people out of your corporate network but a determined intruder can always find a way into a system.
Companies must instead take a layered approach that shows security administrators where intruders can go on the network once they're in and what they can do once they get there.
That represents a sea change in approach for most security administrators. For some it's been like pulling teeth to get others to realise that for years, they've been spending 80 per cent of their security budgets on trying to keep people out when, in fact, 80 per cent of all attacks originate from inside the firewall. The shift away from perimeter defences to internal access control and authentication management is also being driven by a string of virus and worm attacks.
"Physical access, who you are, and [whether or not] you are allowed [specific privileges] are going to be among the technology questions that are going to be answered in 2002," said Charles Kolodgy, an analyst at IDC.
Smartcards, USB tokens, and biometrics will be hot areas because users "are beginning to realise they need to have a better handle on who's coming and going", Kolodgy said. "Passwords just don't give you enough confidence in these things."
Unisys Australia e-security architecture director Ajoy Ghosh agrees the recent terrorist event brought security to the fore for many executives, but there is still a reluctance to invest.
"Combined with the tech-wreck many companies are reluctant to invest in strategic projects that transform their security and authentication practices," he said.
"Instead, they are re-evaluating existing protective security measures and finding out that they need to be upgraded and regularly serviced. There is a lot of customer activity in this area with many choosing to have independent experts manage it." In other words, hosted security services are currently under consideration.
Ghosh believes new technologies such as biometrics are also being reviewed as the pricey cost tag is stripped away.
IT management will probably broaden the scope of its security concerns with the added scrutiny of Web services applications.
Managers may see improvements in the nature of safeguards to protect a specific set of database records, such as profiles or user accounts, while in transit across systems to validate identification.
Analysts also foresee a marriage of disaster recovery and security as IT executives match technologies to their business models.
This is the world of true security where disaster recovery, continuity of operations and IT security are no longer considered separate disciplines.
Gartner analyst Bill Malick says he sees a renewed emphasis on business continuity, corporate provisioning, user authentication, crisis directory services, biometric security services, malicious code detection, data integrity and monitoring of the types of information released to the public.
The goal is to construct an adaptive security architecture, which is not an easy process. It means employing the right technologies, implementing the right infrastructures, investing substantial amounts on the necessary hardware, software and people, re-configuring operational processes and selecting what to outsource.
Meta's Bouchard believes organisations need to leverage enterprise architecture to establish effective security principles and introduce a security governance committee that aligns technology and business strategy. This establishes ownership of security issues and will put in place reporting structures and identify goals and priorities.
By 2002, Bouchard said 40 per cent of top-tier organisations will institute steering committees to supervise executive information security, because good security governance requires behavioural, cultural and technical change throughout the entire company.
He said the enterprise architecture team can help bridge the gap and advise on the level of strategic security investment that will be required.
"Evaluate security assets as risk management tools, not just as an operational cost," he said.
"Most organisations fixate on technology or flounder trying to apply voluminous policies that are not enforced; strategy-based principles are more efficient.
"Policies must be derived from business strategy. They must also be hierarchically defined to ensure applicability, and should be the basis for enforcement mechanisms." Bouchard said this involved linking policy with security projects.