In an effort to establish a Canadian front on the international fight to secure corporate IT infrastructure, IBM Canada Tuesday announced a C$40 million (US$33.5 million) investment over five years in its Canadian security practice and the creation of a security operations center (SOC) in Markham, Ont.
The practice will be a one-stop shop for corporations looking to shore up their IT defenses. Michael Small, the Canadian security practice leader for IBM Global Services, said "there seems to a band-aid approach to security services, not a holistic approach." In order to move toward the latter, companies need to constantly analyze and prioritize their levels of threat and risk, he said.
By investing in its security practice and setting up a Canadian SOC, IBM Canada will be able to offer Canadian companies a four-pronged approach to security in addition to regionally-specific security data, instead of having to rely on world-wide data, he said.
The first prong is to help companies design their security management, from security governance to business strategies and policies. He said the key to this approach is to understand that security is not longer an IT issue rather a business one.
The second prong is to help companies comply with government regulations and create security awareness programs for employees, partners and customers. The third is vulnerability management, which includes everything from antivirus and physical security to technology vulnerability assessment, patch management, and monitoring hacking and attack trends. The fourth prong is to help companies with their security operations, which includes such things monitoring systems 24/7.
Small said the root cause of the current state of IT security in corporate Canada is a lack of metrics, Because so few are gathered, companies often fail to understand their level of IT security.
Recent IDC Canada research backs up this claim. Steve Poelking, director of research, software, security and infrastructure management with IDC, said, though a significant number of companies suffered from security breaches, only a small per cent (less than 20) actually attempted to calculate the cost. The result is that Canadian companies are unsure how much to spend on IT security to avoid disasters because they have no idea how much disasters cost. Recently the chief operating officer of Symantec, John Schwartz, said the cost of an attack or disaster is 10 times the cost of preventing it.
Poelking said the Canadian IT security market will grow 12.7 per cent this year, to a value of C$765.3 million.
For companies to start down the road to IT security redemption, they have to understand the value of their assets, Small said. The next step along the path to security is to understand that "the security budget is...fragmented across the organization," he added. IT security funding is often buried in network and physical security budgets. It is can even be found in places such as security best practice training costs for application developers.
Small said the key question to ask is "where is the accountability for security?" Companies need to form a security office, which can either be a simple organization overseeing matrix driven documents or a more thorough organization with a chief security officer or chief information security officer at its head, he said.