IT security – commoditized, badly
1
41 Infosecurity Today September/October 2006 c o l u m n A ttending this year's Infosec show, it struck me that security has be- come the new golden goose for the IT industry.The acres of expensive ex- hibitor stands, the professional pre- senters and the prevalence of suits as the preferred attire for the attendees showed that information security is now an issue for senior IT and busi- ness executives, as well as IT vendors. After lean years post-Y2K and the dotcom bust, it appears that IT securi- ty is providing IT service suppliers, vendors and resellers with a new market from which to extract more money.A few years ago trying to find someone with information security expertise was difficult; nowadays it appears that every reseller, vendor and consultant is offering solutions and advice to companies on how to secure their computing infrastruc- ture.The company that sold you printers a few years ago will now also sell you security solutions. In addition, press interest in infor- mation security is increasing in both industry and mainstream, judging from the increase in the number or ti- tle and column-inches devoted to the subject. Surely commoditizing IT security and increasing awareness of the issue can only be Good Thing? Sadly,I am finding the opposite to be true. In my experience, information tech- nology, and not just information securi- ty,is still viewed by many businesses, particularly in the SME sector, as a nec- essary evil. Far from a Big Bang, they see IT as a black hole from which they get no bang for their buck. Small business owners in general do not understand the principles of IT, let alone information security.They under- stand other risks facing their business, such as theft or fire, as they have tangi- ble references based on experience. But information security is not so tangi- ble.They see it as a technology prob- lem. Compounding the issue, most IT professionals treat it as a technical problem that requires a fix rather than a process to manage continually. The core of the problem is the lack of distinction between IT security and information security.At its most basic, IT security is simply about pro- tecting the IT infrastructure and en- suring its availability. Simply put, if it breaks, fix it. Information security is about ensur- ing the information the company re- lies on is protected and available within acceptable levels of prede- fined risk.That information can take many forms, with more and more of it being stored electronically on the IT infrastructure. But this does not mean that information security and IT secu- rity are one and the same. Now, there are vendors, consult- ants and resellers who see an oppor- tunity to make money, but who may themselves not fully understand the difference between information and IT security.We now have a situation where everyone knows IT security is an issue but few understand prop- erly the subtle intricacies. Too often the focus is on the symp- toms of the problem rather than the underlying cause.This means every- one looks for solutions without actu- ally understanding and addressing the problem.Vendors and resellers are on- ly too happy to sell products and services which provide solutions; that is their job. But if the underlying problem is not properly identified and addressed then these solutions are merely Band-aids on a broken leg. Increasing awareness of information security among business and IT profes- sionals can only be a positive thing. But this needs to be tempered, directed and managed.We need to step away from the product hype and the scare stories and remind ourselves what it is as information security professionals we are trying to achieve. We need to ensure that people don't focus solely on technological solutions but also incorporate the other key elements of a good infor- mation security architecture — peo- ple and processes.A holistic view of information security will help us all ensure the goose will keep on laying those eggs. • About the author Brian Honan is senior consultant with BH Consulting, an independent consult- ing firm based in Dublin Ireland. He provides clients with advice on how best to deploy, manage and secure their information infrastructure. IT security – commoditized, badly Brian Honan Information security is not just IT security. The better we understand that, the better off we'll be. Brian Honan “There are vendors, consultants and resellers who see an opportunity to make money.”
-
Upload
brian-honan -
Category
Documents
-
view
216 -
download
0
Transcript of IT security – commoditized, badly
41
Info
security To
day
September/O
ctober 2006c
ol
um
n
Attending this year's Infosec show,it struck me that security has be-
come the new golden goose for theIT industry.The acres of expensive ex-hibitor stands, the professional pre-senters and the prevalence of suits asthe preferred attire for the attendeesshowed that information security isnow an issue for senior IT and busi-ness executives, as well as IT vendors.
After lean years post-Y2K and thedotcom bust, it appears that IT securi-ty is providing IT service suppliers,vendors and resellers with a newmarket from which to extract moremoney.A few years ago trying to findsomeone with information securityexpertise was difficult; nowadays itappears that every reseller, vendorand consultant is offering solutionsand advice to companies on how tosecure their computing infrastruc-ture.The company that sold youprinters a few years ago will now alsosell you security solutions.
In addition, press interest in infor-mation security is increasing in bothindustry and mainstream, judgingfrom the increase in the number or ti-tle and column-inches devoted to thesubject.
Surely commoditizing IT securityand increasing awareness of the issuecan only be Good Thing? Sadly, I amfinding the opposite to be true.
In my experience, information tech-nology, and not just information securi-ty, is still viewed by many businesses,particularly in the SME sector, as a nec-essary evil. Far from a Big Bang, theysee IT as a black hole from which theyget no bang for their buck.
Small business owners in general donot understand the principles of IT, letalone information security.They under-stand other risks facing their business,such as theft or fire, as they have tangi-ble references based on experience.But information security is not so tangi-ble.They see it as a technology prob-lem. Compounding the issue, most ITprofessionals treat it as a technicalproblem that requires a fix rather thana process to manage continually.
The core of the problem is the lackof distinction between IT securityand information security.At its mostbasic, IT security is simply about pro-tecting the IT infrastructure and en-suring its availability. Simply put, if itbreaks, fix it.
Information security is about ensur-ing the information the company re-lies on is protected and availablewithin acceptable levels of prede-fined risk.That information can takemany forms, with more and more of itbeing stored electronically on the ITinfrastructure. But this does not meanthat information security and IT secu-rity are one and the same.
Now, there are vendors, consult-ants and resellers who see an oppor-tunity to make money, but who maythemselves not fully understand the
difference between information andIT security.We now have a situationwhere everyone knows IT securityis an issue but few understand prop-erly the subtle intricacies.
Too often the focus is on the symp-toms of the problem rather than theunderlying cause.This means every-one looks for solutions without actu-ally understanding and addressing theproblem.Vendors and resellers are on-ly too happy to sell products andservices which provide solutions; thatis their job. But if the underlyingproblem is not properly identifiedand addressed then these solutionsare merely Band-aids on a broken leg.
Increasing awareness of informationsecurity among business and IT profes-sionals can only be a positive thing. Butthis needs to be tempered, directedand managed.We need to step awayfrom the product hype and the scarestories and remind ourselves what it isas information security professionalswe are trying to achieve.
We need to ensure that peopledon't focus solely on technologicalsolutions but also incorporate theother key elements of a good infor-mation security architecture — peo-ple and processes.A holistic view ofinformation security will help us allensure the goose will keep on layingthose eggs.•About the author Brian Honan is senior consultant withBH Consulting, an independent consult-ing firm based in Dublin Ireland.Heprovides clients with advice on howbest to deploy, manage and secure theirinformation infrastructure.
IT security – commoditized, badlyBrian Honan
Information security is not just IT security. The better we understandthat, the better off we'll be.
Brian Honan
“There are vendors,consultants and resellers who seean opportunity to
make money.”
