By Jon Collins

 

IT security can be a convoluted business. It seems to be quite straightforward on the surface - there's good guys and bad guys, and it's a case of keeping one from the other - but you don't need to scratch away much of the conceptual veneer to determine that the picture is more complex than that.

 

While it may look like this is stating the obvious, what is less clear, then, is why we have an IT security industry that has been constructed around the more simplistic view. For evidence we only have to look at the success of companies like Symantec, whose historical profile has been built almost entirely on the back of boxed packages such as anti-virus, intrusion detection and the like. The finger of blame for such a product-oriented approach could be pointed at the security vendors - but like with security itself, assuming the vendors are the bad guys is not going to tell the whole story. After all, in this market economy, they are only supplying according to demand.

 

What of the demand side of the story, then? IT budgets tend to be allocated in one of two ways - either through projects or operational budgets. The former generally requires some kind of justification process - the term "business case" is banded around but this can be anything from a fat document to a remark in the corridor, ...so, 'what's the business case'?- In either case, it will require some kind of business justification, in terms of benefits to the organisation, to be matched against the inherent costs of whatever is being proposed. Meanwhile, operational spend is dictated on have-to basis, rather than a want-to basis: money has to be spread over a wide variety of requirements, and tends to be spent only on what is absolutely necessary.

 

These are all generalisations of course, but the two models of spend will be familiar to anyone who has actually tried to spend money on security products. IT security falls between the two stools - it can be difficult to articulate a justification in terms of business benefits ("being more trustworthy" doesn't map onto anything tangible, for example), and meanwhile, if treated as an operational cost, it needs to fight its corner against all other requirements. It is no wonder, then, that the mainstays of the security market are products that are easy to articulate and to buy. A-V is one example; virtual private networking, anti-spam, intrusion detection, these are all tangible, explainable, demonstratable. Indeed, the chances are that everyone right up to the CEO has had some experience of them.

 

It should also come as no surprise that security vendors are keen to cast a lens onto such areas. By intent or fortunate coincidence they are aided and abetted by the IT press, for whom a story about eastern European students cracking codes will always be more interesting than yet another incident of hard disks failing. Its like car crashes versus smoking - the latter may be the larger cause of death, but smoking-related deaths are just not interesting enough to make the papers.

 

Personal experience and media hype are a powerful combination, but in IT security as in smoking-related death, they mask the true issues. It is easy to say that security is about risk management; that people inside organisations are far more likely to pose a security risk than Russian hackers; that without a holistic view of the security architecture, it is like locking the doors but leaving the windows open: what is far harder, still, is knowing how to do anything about it.

 

There are signs that this is changing, but these are evolutionary. The IT security industry is moving its attention from "the external threat" to more solution-oriented areas such as risk management and policy-driven security, but they can only do so if customers actually want to buy what is on sale. There are a number of issues that will slow down this evolution, from all sides: not just the difficulties of business justification, but also the fact that many vendor business models are a product of their own product and channel strategies. It will take a while to turn this tanker around, and it is perhaps up to end-user organisations to recognise that they have a part to play. As long as organisations in general continue to treat IT security as a tactical purchase, we will continue to have a product-driven security industry.