[ISN] Gartner analysts point out the security you don't need

InfoSec News isn at c4i.org
Tue Sep 21 05:31:13 EDT 2004


By Laura Rohde
IDG News Service

LONDON - The plethora of security technologies on the market are
enough to overwhelm even the most knowledgeable IT managers, but in
sorting through all of the options, it may be helpful to look at what
is not needed, according to Gartner research detailed Monday in London
at its IT Security Summit conference.

The list of security items a company probably doesn't need within the
next five years includes personal digital signatures, quantum key
exchanges, passive intrusion detection, biometrics, tempest shielding
(to protect some devices from emanating decipherable data), default
passwords, or enterprise digital rights management outside of
workgroups, according to Victor Wheatman, vice president and research
area director at Gartner, based in Stamford, Conn.

"You have to be aware of what the over-hyped technologies are. You
don't need personal digital signatures, because in most cases, an
electronic signature will be enough and in terms of biometrics, you
won't need that unless your company is using airplane pilots or has
high-level executives that won't or can't remember passwords,"  
Wheatman said.

Wheatman also singled out "500-page security policies" and security
awareness posters as things an IT manager would be better off not
spending company resources on. "You do need security policies, but not
ones so large that no one reads them. It is also important to have a
business continuity plan. We got a lot of calls when the hurricanes
came through Florida, but for the most part, that was a little too

IT managers need to be much more proactive about implementing systems
that work correctly in the first place, rather than spending the time
and money on fixing problems after the fact, Wheatman said. Software
need not have flaws, Wheatman stressed, and IT managers need to
challenge their vendors to make safer software, otherwise the security
costs within the industry will simply continue to grow.

"We've been in the biggest beta test in history and this test is still
going on: It's called Windows," Wheatman said. "Longhorn will fix some
of the problems (within Windows), but it isn't a full solution and
flaws will remain. Our studies have found that it is three to five
times more expensive to remove software defects after the fact. Why
not get it right to begin with?"

A company should demand proof that a software product it buys is safe
and make sure that the vendor has reviewed the code of the software
with security in mind, he said.

By 2006, Gartner is projecting that when it comes to software and
hardware, a company will be spending 4% to 5% of its IT budget on
security. That number could jump as high as 6% to 9% when staff and
outsourcing services are factored in. But the IT departments that
spend most efficiently on security, even if the expenditure is between
3% and 4% of the IT budget, could actually be the most secure,
Wheatman said.

Martin Smith, the managing director for the security consultation
company, The Security Company (International) Ltd. said in a separate
speech that Wheatman may have been too quick to dismiss some basic
items such as security awareness posters and security policies,
because users need a clear framework that some of those items can
provide. But he did agree with Wheatman that IT managers need to
establish a roadmap for keeping IT systems secure.

"In IT security, do the stuff that's quick and easy: passwords,
training and awareness in the areas that matter. The basic half-dozen
technologies you need are there," Smith said.

Perhaps most importantly, an IT manager needs to demonstrate to the
executives within the company how to take better advantage of the
systems it already has through the use of security.

"We have an appalling absence of basic management metrics for our
trade. If you can measure a problem accurately, you have the Holy
Grail," Smith said. "But what you also must have is a champion at the
board level. Without senior-level support, nothing will ever happen
and you are doomed."

E.M.F. Coyer, infrastructure consultant with the Dutch company Wegener
ICT Kranten, welcomed the advice from both Wheatman and Smith. Coyer
said that she spends much of her time trying to sort though the
variety of software security options as efficiently as she can, and
that one of the primary reasons for attending the Gartner event was to
keep up to date on security trends. But another priority was to learn
how to speak to the executives within her company in a language that
they can understand.

"It is important to hear the technical stuff, to know what the trends
are, but what I find most useful is the message, and how to deliver
that message in a way my bosses and the other non-technical people
within the company can understand and can support," Coyer said.

More information about the ISN mailing list