When it comes to securing their infrastructures, many organizations are like bad cooks. The mess they are making in their proverbial kitchens is only going to get more ugly over the next year if they keep trying to get by on culinary improvisation.
Just like the apprentice chef expecting to whip up a five-star meal without oversight from a head cook, a recipe, the ingredients needed, or the knowledge of how to serve the end product, a lot of variously sized organizations are ad-libbing the process of protecting their electronic assets, warn some analysts.
"It is critical to deal with security at a program level, rather than a project or IT operational process level," contends Chris Byrnes, an analyst with the META Group. "Technology should be the last decision made, and the program-based processes should determine both which technologies are appropriate and how they should be deployed and operated. Without a proper grounding in business requirements, security will either spend too much or too little, but never hit on the right answer."
During the next 12 months, such an approach will render organizations even more helpless than they may have found themselves recently as threats rise, vulnerabilities increase, and they continue to become more reliant on current systems while, at the same time, advocating a move to the latest and greatest ones, agree analysts.
The infosec pressures confronting corporations in 2004 will converge to form one big risk governance problem, says Michael Rasmussen, director of research for information security at Giga. Regulatory compliance will move "full steam ahead next year," demanding that organizations ensure they are complying with IT security and privacy demands.
Additionally, significant threats and persistent system holes will plague companies. The big problem he foresees is an attack that will cause momentous economic damage to the corporate world - like none that has been experienced by the likes of Slammer, Code Red or Nimda. "The... next big worm we have will have a more devastating payload," he predicts, adding that it will be "more widespread in the fact that is could actually destroy systems."
Byrnes says that initiatives like the one announced by Microsoft, in which money is being offered for information resulting in the arrest and conviction of those who launch damaging worms and viruses on the internet, will likely have just the opposite effect of its goal.
"So far, blended threats have clustered in two-year intervals, but we only have two years of history, so the pattern is not set. I would expect at least one more blended threat attack to have large-scale impact. But if it arrives in 2004 it will [be] a shortening of the cycle and would indicate hacker acceleration," he explains. "I'm afraid Microsoft's recent bounty could, in fact, anger the more sophisticated elements of hacker society and cause that acceleration."
In addition, he says the occurrence of zero-day attacks, cyberassaults that exploit vulnerabilities in software first discovered by hackers, will spike: "There will be more. If a blended threat carries a zero-day vector, it will take longer to analyze and repair. It will be even more serious than past blended threats."
Paying the check
Although most analysts agree that infosec worries for businesses will continue to run the gamut next year, from more deadly worms and patching issues to government regulations and other systems worries (think new web applications, expanding wireless networks, instant messaging and peer-to-peer), there might be room for some optimism.
"If you're running a business, there are all sorts of pains. You've got staff problems, attacks problems, where-am-I-going-to-put-my-next-factory problems... Whatever the deal is, you've got problems," says Fred Cohen, principal analyst with the Burton Group. "So is [IT security] a bigger problem than them? No. It's just another thing on my meeting every week. I think more is being spent on computer security now than before, but I think more is being spent on computers now than before and that's just a natural side effect."
Whatever the reason, however, more money will be around for IT security next year. The crux of the problem lies in ensuring that the money budgeted for infosec is actually used, adds Cohen. Unfortunately for many organizations, money still only seems to be spent after big incidents, he says. But there are some more forward-thinking organizations, or maybe ones that have been cited in recent audits, that take care to allocate enough dollars to address their various IT security issues.
Luckily for IT security, contends Jason Wright, industry analyst and program leader for security technologies at Frost & Sullivan, budgets have been less affected than others - even during the economic slump. "Although all budgets have been adversely affected through the economic recession, security has been an area that still has been a little less affected." No doubt there has been a decrease in spending in the security space, he adds, but compared to other areas, infosec has come out a little less bruised. Even with this view, though, one must bear in mind the mindset of business leaders during a recovery period. "They're not just going to start spending at the first chance they have. They're going to wait until this upward swing has some legs to it," he says.
And what they spend on will range from identity management, SSL VPNs, patch management and vulnerability scanning tools to intrusion-prevention technologies and application-protection tools, continues Wright.
Basically, says Rasmussen, the tools companies are looking to buy will help to address security operations and services, policy initiatives, regulatory compliance and network security.
The hope is that they keep their eyes on the ultimate prize - developing one security architecture that meets a multitude of standards and demands, he says. "A lot of it is really developing a corporate risk management program."
To help drive this initiative, he predicts that more organizations will have a chief security officer who will report to a chief risk officer, rather than working directly under a chief information officer, as is the case with many companies' chain-of-command. This type of hierarchy, which seems to be much more
suited to establishing and adhering to a corporate-wide infosec/risk scheme that supports business initiatives, has already started to happen in the financial services industry, he adds.
"Security isn't in a silo. A security incident can impact privacy, physical security and more," he says. It is therefore a requirement to take an organizational viewpoint of infosec, ensuring it extends across the enterprise.
Such a business-enabling vision of infosecurity will be even more crucial as next year's witches' brew of concerns bears down on enterprises. Especially since, concludes Byrnes, "the highest threat for most IT security professionals continues to be the CIO who fails to understand security as a mandatory asset-protection expenditure."