The Walt Disney World Resort in Florida uses biometric finger geometry technology at its theme and water parks, as well as Pleasure Island. Yet while Mickey may be on the perceived infosecurity/biometric security bandwagon, the move was not motivated by a need to be more safe and sound. Instead the mouse did it to "ease annual and season pass holder admission," says Marilyn Waters, manager for Walt Disney World Public Affairs. Since 1995, season ticket holders have been able to pass through park turnstiles with ease and swiftness, she says. And, "to date, we have not found another system that meets our needs as well as the finger geometry."
While many infosecurity pundits are currently running around espousing the requirement to be more secure, whether through more restrictive cyber/physical access mechanizations, or such technology as biometrics and smartcards, for example, most organizations are looking at potential security tools they might buy to help sustain or increase their bottom lines. They want to make money in a time when that very thing is tight. So security, while at the forefront of some people's minds, is not the sole driver behind infosecurity buying trends - or at least, say other developers in the industry, buying security tools for security's sake does not seem to be the only reason organizations might be looking to MSSPs, security consultants or other vendors in the arena.
Bill Van Emburg, co-founder and COO of Quadrix Solutions Inc., says that while he is seeing much talk about spending on infosecurity, he himself has not really witnessed any fundamental shift in attitudes toward it. More often than not he runs into a company executive who makes a point of the organization's firewall and anti-virus protection as proof of their infosecurity efforts. In the minds of these folks, Van Emburg notes, spending on infosecurity has been completed already. In viewing security as a one-time expense, they feel they have gone through their required due diligence and can now rest easy that the firewall is keeping the bad guys out and making their informational assets safe. (Of course, these same folks might believe in Santa, too, or maybe the Easter Bunny.)
However, if the obvious need for a layer of infosecurity tools and the added management trappings is couched in a pitch that describes an overall business solution, executives seem more interested in its benefits, he notes. As long as the proffered security solutions enable organizations' present and future business endeavors, perhaps revealing that they could save or make money, then they are much more interested in hearing more about this comprehensive solutions/management/systems/policy approach.
Take Mickey's house as an example. When asked about the drive behind the biometric finger scanning purchase, Waters noted that the investment was not about implementing stronger security mechanisms. Rather, it was about easing a once tedious and time-consuming process for customers. So, when Disney initially tested a photo ID system, it was rejected when "guests found [it] unsatisfactory due to the amount of time required."
While it is frequently acknowledged that any security measure may cause some modicum of inconvenience, quite a few organizations are more inclined to show interest in those security technologies that actually ease or even help to create better business practices and applications. Forget about antiquated password or encryption programs that take too much time away from users trying to excel at the jobs for which they were hired - businesses want solutions that actually protect their assets, while at the same time creating more streamlined businesses (and relationships with partners, customers and employees).
Where does such a demand leave vendors you may wonder? According to many infosecurity technology developers exhibiting at the RSA Conference 2002 a couple of weeks ago, it means that solutions providers must tout security as business enabling. The fear, uncertainty and doubt argument - the thing that used to send worried IT managers to their bosses begging for even a little crumb of money a short year to two years ago, will not get much play in a time when bigger pieces of the IT budgets are typically being allocated to infosecurity and ROI is a concept that gets more traction in the security realm with each passing day. (As you will be able to read in SC Magazine's April cover story on Infosecurity Budgeting, quantifying that which is difficult to quantify is not such a nebulous concept as was once perceived.)
After all, the "loosening up of the purse strings gets easier" if a payback can be shown within a year, notes Passlogix's CEO, Mark Boroditsky. And, if a particular company's IT department just does not have the budget for infosecurity measures, then there is even more of a requirement to prove that any infosec purchase made using a particular business unit's jingling pocket of change, no matter how small, is done so with the utmost care, he notes. That is, such a company will want to see that this infosecurity purchase is reducing risk, while at the same time streamlining processes enlisted by customers or partners - which ultimately helps their business. The incentive to buy security must move to making infosecurity technologies and/or services "need to have" tools, as opposed the still too often than not "nice to have" tools, he notes.
Without showing clearly that many of the more sound infosecurity tools and services out there will only aid companies in their business missions, then too many organizations will opt to take their chances. At that point, even the likes of Mickey Mouse - despite their understanding of the numerous benefits that well-placed and properly executed security plans can bring, will be affected by their Internet neighbors. Like the theme park ride says, "It's a small world after all."
Illena Armstrong is U.S. editor of SC Magazine.