It's not easy convincing skeptical bosses to invest in infosecurity programs. Without solid return-on-investment metrics, you might find yourself resorting to nebulous arguments in negative terms – not the sharpest tools in the rhetorical toolbox.
This was one of the issues addressed by SC Magazine's new Editorial Advisory Board, consisting of IT security luminaries from financial, healthcare, government and educational sectors, as well as from the IT security vendor community. SC Magazine asked the members to share their outlook for the future of the industry and offer their views on what is in store for the average CSO in the coming months.
The first topic on the table was how to get infosec budget from company boards and finance departments reluctant to loosen the purse strings.
The advisory board's take on this was that IT security professionals must forget the FUD – fear, uncertainty and doubt – approach and drop the unsubstantiated return-on-investment theories. Lloyd Hession, CSO of Radianz, points out that crying wolf no longer works with business chiefs who are increasingly aware that the ROI models are dubious. Security executives are faced with the same old problem of "proving a negative problem: I was not hacked, therefore my security must be good [or] better," he explains.
This translates into ensuring that senior managers and boards of directors understand "the business reasons for security," explains Gene Fredriksen, vice-president of information security for Raymond James & Associates. He argues that the best way to do this is to provide "real information regarding the increasing number of threats to the organization, paired with the decreasing time from vulnerability to exploit." In other words, security executives need to explain in simple terms what this trend means to the business, and the seriousness of its impact.
And to be sure their advice is solid, IT security officers should ensure that their "risk projections are based on the best information available," he adds.
If security executives want their companies to appreciate the tangible business benefits of improved infosecurity – smoother business operations – they need to speak their language, says Kevin Dickey, deputy chief information officer and CISO for Contra Costa County in California. He takes the view that when company executives understand that IT security is a business enabler – making staff more efficient and productive – they will be able to appreciate the need for the requisite tools: end-user training, detailed policies and controls, and so on. IT security executives should adopt the tools of the business mainstream – such as business impact analyses, risk assessments and business continuity planning – in order to communicate the core issues to their colleagues, he argues. This will help to bring "focus to information security" not as just an IT issue, but also as a business one.
Tackling the problems of scale
And while some security executives do attempt to demonstrate ROI for their infosec projects, some organizations are too large and complex to attempt to show ROI on every initiative, says Jaime Chanaga, CISO of Geisinger Health System. "Companies must accept that IT security is a cost center, will always be a cost center and should be an expected part of business," he says.
And, thanks to the number of regulations that companies must comply with today, IT security has become more expensive. But, on the bright side, "the need to comply with regulatory requirements might make it easier to grow security budgets," says Hession.
And there is a danger that in their attempts to win budget, CSOs fall prey to the temptation to over-hype a single technological solution, warns Amy Carroll, senior director of product management in the Security Business & Technology Unit at Microsoft Corp. IT security professionals need to be wary of promoting any technological solution as a "silver bullet," she says.
"Given the importance of security in IT, I think it's hard to over-hype the issue, but the tendency exists to look at a particular technology or class of technology as a 'darling' at any given time. The truth is, I think there's a role for almost any security solution, but anything that is marketed as a 'silver bullet' or complete security solution runs the risk of giving the users a false sense of security," she explains.
Security issues of a different order arose when the board went on to discuss the implications of the Patriot Act. With the presidential elections out of the way, both vendors and analysts say they are fielding more and more questions from IT security executives about how the Act will affect them, their security processes and, perhaps, in future, their bottom line.
Marc Rogers, associate professor in the Computer Technology Department and a research scientist at The Center for Education and Research in Information Assurance and Security at Purdue University says the act will have the most impact internationally since "it extends the United States' powers into areas commonly protected under sovereign rights of other nations." Additionally, it has serious implications for Fourth Amendment rights in the U.S.
Sarbanes Oxley (SOX) compliance also came in for discussion.
Under section 404 of SOX, infosec departments in publicly-traded U.S. companies have a duty to protect their firms' internal controls over financial reporting, claims Paul Kurtz, executive director of the Cyber Security Industry Alliance. This law will have a major impact on IT security in the corporate world during 2005, he said, adding: "The next question is 'how' to comply."
This is a bit of a challenge for companies since CFOs, CIOs and auditors must work together to forge common guidelines. But Dave Cullinane, chief information security officer (CISO) with Washington Mutual, Inc. suggests that Basel II requirements centering around the quantification of losses from information security incidents may help in developing plans. Based on this, CSOs can establish useful risk models.
"As CISOs/CSOs, we must begin to effectively track losses related to security issues, including both direct and indirect losses, and demonstrate the amount an organization's risk profile has been reduced through the implementation of security tools," he says.
Emerging threats in 2005
Companies will see no end to SOX-related demands in 2005, even if they have adhered to last year's deadlines, he adds. "There will be more to do in 2005 and beyond, as emerging threats change the requirements for security controls. Establishing and maintaining an effective control framework is no small task and will take more than one year to implement effectively," he says.
Bob Gleichauf, chief technology officer of Cisco Systems' newly-formed security technology group predicts that demands for compliance will become more complicated as companies look to meet privacy, identity theft and other security requirements set forth in the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act – whose security deadlines hit in April – and the likes of California's Senate Bill 1386 or the European Union's privacy and data protection directives.
"These regulations can be challenging to interpret," says Gleichauf. "In many instances, compliance with regulations does not translate into a more secure enterprise."
The next question addressed by the board was why some companies are more successful than others at making their IT systems secure.
Dennis Devlin, vice-president and corporate security officer with The Thomson Corporation, points out that security is not just a question of technology. "People and process are essential, and technology is an enabling tool. If purchasing technology could make an enterprise secure, everyone would have done it by now," he said.
Microsoft's Carroll argues that it is important that companies such as hers, as vendors, "provide more harmonized solutions that respect the human factor, and minimize or eliminate complexity without sacrificing efficiency."
Randy Sanovic, general director of information systems security at General Motors Corporation, sees the human factor as characterizing an important trend for the coming year. "I expect the trend will be to consolidate the various IT security technologies into more enterprise-acceptable and interoperable systems."
Sanovic sees vendors moving toward more integrated security solutions to replace the more fragmented systems of the past – making them easier to operate and manage. He sees this as a trend for 2005, "with the bigger players acquiring and integrating the appropriate products into their enterprise offerings. This would make it more acceptable for enterprises to evaluate and embed integrated, 'longer-term' suites of the appropriate IT security technologies into their infrastructure," he added.
Gerhard Eschelbeck, CTO and vice-president of engineering for Qualys, argues that this trend proves that the market is in the middle of an important transition. While there was a time when users demanded support for "integrated security architectures from vendors which were focused on tactical solutions for specific problems, 2005 will be the year of security integration – developing open and standardized interfaces to share, distribute and correlate security-relevant events and information," he says. "Security vendors without such capabilities will fade from the security market, no matter how large or small they are."
A consolidating market
Such predictions raised the issue of a shrinking IT security vendor list shaped by acquisitions and mergers.
Some board members argue that this is crippling innovation. Peter Stephenson, director of information assurance for Eastern Michigan University's Center for Regional and National Security, reckons that product development is already suffering.
"All I see is more examples of the same things and the same old problems are going unsolved. We have serious problems, such as phishing, that nobody has been able to address in a creative enough way that the problem gets solved," he says. "Will the market be dominated by one or two players? I hope not. There is little enough innovation now. That kind of coalescence would certainly kill what little is left. Big business has no interest in innovation because innovation is risky. Only the little guys will take risks."
And, in the not-too-distant future, those little guys will be few and far between, adds Rogers. "If the acquisitions and mergers trend continues, then we will see only one or two major players, with a few boutique firms surviving. This is the direction the major players are heading towards," he says.
But Jason Wright, industry analyst and program leader of security technologies with Frost & Sullivan, finds it difficult to imagine an IT security industry dominated by one or two players. This is especially true, he says, since larger organizations "are often more docile than they need to be" in a market that evolves quickly to adapt to fast-moving technology and threats.
"More importantly, though, if one or two players dominated the market, they would become the next Microsoft, which is constantly targeted by malicious hackers," he warns.
While most board members see consolidation continuing into the future, Amit Yoran, former director of the Department of Homeland Security's National Cyber Security Division, points to a rash of start-ups in the IT security industry. As a result of all the competition, firewalls are better, host protections are more effective and intrusion detection systems are more efficient, he says.
Despite this, the industry will have to keep moving if it wants to stay ahead of the threats. "We will need a slew of new concepts in security over the next few years," he adds.
An evolving security professional
But while vendor companies might be coming and going, IT security professionals will never want for jobs in the wider world, according to James Duffy, president and chief executive of (ISC)2. He claims there is a shortage of IT security pros, so those vying for a position in the business will have more opportunities now and in the future – although, he says, people will need to show they have trained for the job. "With the ever-evolving nature of threats, security education is going to become more important to securing the enterprise," he says.
Infosec executives will need to be able to see the bigger picture, says Toby Weiss, senior vice-president of product management for eTrust solutions at Computer Associates. "The infosec exec of the future will be an expert in corporate governance, able to talk to the business, and understand security in depth – from application development to operational security."
Since security pros often report to senior executives who might be less informed about technical matters, it is important for them to understand the corporations' business needs and, more importantly, that they are able to talk about security in those terms, he adds.
Still, no individual IT security professional will be able to know all about information security. "In 1997, it was possible to know just about everything you needed to know about information security," says Stephen Northcutt, director of training and certification at The SANS Institute. "Today, the field is too broad for anyone to master."
IT security must therefore be a team effort. Not only will it involve the info-sec department's CSO, security managers and infosec engineers, however, but other departments need to be involved. For example, the IT security pro will need to get to know their internal auditors, finance counterparts and networking colleagues pretty well in order to meet compliance demands and establish a security infrastructure, says Symantec's Tim Mather, vice-president and CISO, information technology.
Finally, end users will always be key to safeguarding any corporate network. "The role of the CSO has evolved from being primarily a technologist to being a team builder, a security evangelist, and a business advisor," says Devlin. "Security is only played well as a team sport, and every technology user plays an important position on the team."