The potential damage that this will inflict on brand reputation, customer relationships, and capacity to run a business will continue to move IT security management further up the boardroom agenda. Never has it been so important to get it right when it comes to managing IT security.
In the last two years, a sophisticated approach to tackling the increasing number of security threats has emerged – the integrated security appliance. Appliance vendors have built on the security foundations created by previous approaches to provide a security model that offers the end-user full visibility and control over their network, but takes away the complexity.
Traditional approaches to security have been ad hoc and varied. A potted history of IT security goes something like this. Companies began to view security as a must-have in the early to mid-nineties when the Internet became widely used in business, and email was adopted as the de facto communication medium. At the same time, this opened the company network up to a rife of new emerging security threats.
IT managers responded by purchasing a number of bolt-on security products, such as firewalls and anti-virus software, but for many, managing these proved -and still proves to those that still take this approach - to be too complex and time-consuming.
A lack of in-house skilled security specialists presented IT managers with a considerable problem and for many, the only way out was to wash their hands of it completely and outsource it to a third party. IT managers decided this was a good idea because it removed the burden of retaining resources in-house and handed responsibility over to the experts. Security was expensive and service providers were seen as a way to reduce cost without sacrificing security.
However, the trade-off for allowing a third party to manage a company's IT infrastructure, is that an outsider has access to its data and can dictate how it is managed. The biggest issue people have with this, especially those at board level, is trust.
We are seeing a shift away from the managed services approach in an attempt to bring the control back in-house, through the deployment of new technologies, such as integrated security appliances. Under the managed services approach, a lack of visibility means that in-house IT departments only ever find out about big issues and successes. They tend not to receive vital day-to-day management information. This means that the company cannot learn from its mistakes and tweak security policies to match new threats targeting the network. When a third party is managing a company's security, it is possible for the in-house team to know nothing about a virus outbreak, until it's too late and has become irrelevant.
This year, financial services company JP Morgan Chase cancelled an IBM outsourcing deal worth five billion pounds in an effort to keep services in-house. Cable & Wireless did the same. No doubt 2005 will see the business case of outsourcing questioned further, you only have to look at recent news headlines for evidence of this.
It is widely acknowledged that an IT manager's biggest security management issue is email. According to the 2004 DTI PricewaterhouseCoopers Information Security Breaches survey, email still constitutes the biggest virus risk by far, with 83% of companies admitting that they had received infected emails and files in the past year.
But many companies are still missing a trick when it comes to effectively managing and securing email. Third parties are so paranoid about customers receiving a virus because it's built into their contract, that they end up holding onto messages for eight, twelve, or even sixteen hours to ensure they are clean before they release them. This means that they are sitting on an ISP's network somewhere on the Internet while they decide whether a file is a virus. Similarly, over-aggressive spam filters often mean that legitimate emails do not make it through, which has a detrimental effect on business. It also means that customers receive big spikes and valleys of emails, which can significantly increase workload and result in huge productivity losses.
Building on past mistakes, the integrated security appliance was built to be easy to use and manage in-house while bringing control back to the customer. Unlike the outsourcing model, where by an outsider creates the policy, it allows the user to apply their own policy as and when they want, according to the nature of threats that are occurring on the network. This makes it more relevant to the nature of their business and does away with the one-size-fits-all approach. Security threats change daily and policies need to reflect this.
An appliance is built for ease of management; any organisation can deploy an appliance without expensive technical staff to manage it, which is often the case with software solutions. According to the PWC survey, only one in ten companies have staff with formal information security qualifications.
An integrated security appliance has all the advantages that bolt-on products and a third-party approach bring, but none of the pitfalls. Its proactive nature means that it scans for viruses and spam 24/7 and delivers levels of protection, which organisations cannot economically achieve with other security management approaches. This reduces cost and administration over-head for organisations desperate to cut costs.
Keeping up with the sheer number and types of security threats emerging every day is no easy task. But as the new year begins, it should be every company's new year's resolution to ensure IT security management is one of their top priorities in 2005.
The author is a regional director of IronPort Systems.