When discussing IT and network security, industry experts routinely point to climbing budgets, technology innovation and survey results that show security concerns atop the minds of CEOs, all as signs of the sector’s strength. They fail to mention the dirty little secret of the security industry — to this point network security has been a failed exercise.
Security solutions remain one step behind hackers, attackers, intruders and data thieves — a purely reactionary approach. Developments in security technology focus more on responding to the most recent threat or fixing the problems caused by the latest solutions than on preventing the next attack.
Part of the blame lies squarely on the shoulders of the vendors who shout fear, uncertainty and doubt (FUD) from the mountaintops and then swoop in with unverified performance claims and no auditing capability to validate that the product functions at all.
The strategy has been a boon to security vendors — research from Gartner claims that security spending will surpass 5 per cent of IT budgets this year for the first time ever and spending growth in the sector far outstrips overall IT spending over the past three years.
However, the FUD factor has proved less generous to end-user organisations. They’ve bought in record amounts despite the overall malaise in the market and have little to show for it.
According to the most recent CSI/FBI Computer Crime and Security Survey, 56 per cent of respondents reported unauthorised use of computer systems in the past year. Yet, more than 90 per cent of respondents use firewalls and most employ additional advanced security techniques, such as virtual private networks or intrusion detection systems.
The primary factor contributing to the failure of security strategies lies in the conflict between security and connectivity. Organisations strive to maximise both security and connectivity, without realising they are opposite sides of the same spectrum.
On one end is absolute connectivity, with everyone connected to everything and free to access whatever he or she pleases. Moving away from that extreme increases security — limiting access to information and restricting incoming connections.
As long as a connection exists between the outside world and inside information, that connection remains a security risk — an opportunity an intruder can exploit to gain access.
Geoff Rhodes is general manager, Tenix Datagate