2005 has already seen spammers and virus writers become more shrewd, more malicious, more sophisticated and more hungry for commercial gain. The potential damage that this will inflict on brand reputation, customer relationships, and capacity to run a business will continue to move IT security management further up the boardroom agenda – never has it been so important to get it right.
In the last two years, a sophisticated approach to tackling the increasing number of security threats has emerged – the integrated security appliance. Appliance vendors have built on the security foundations created by previous approaches to provide a security model that offers the end-user full visibility and control over their network, while removing the complexity.
Traditional approaches to security have been ad hoc and varied. Companies began to view security as a must-have in the early to mid-nineties when the Internet became widely used in business, and email was adopted as the de facto communication medium. At the same time, this opened the company network up to a rife of new security threats.
IT managers responded by purchasing a number of bolt-on security products, such as firewalls and anti-virus software, but for many, managing these proved -and still proves – to be too complex and time-consuming.
A lack of in-house skilled security specialists presented IT managers with a considerable problem and for many, the only way out was to outsource it to a third party. IT managers decided this was a good idea because it removed the burden of retaining resources in-house and handed responsibility over to the experts.
However, the trade-off for allowing a third party to manage a company’s IT infrastructure, is that an outsider has access to its data and can dictate how it is managed. The biggest issue people have with this, especially those at board level, is trust.
We are seeing a shift away from the managed services approach in an attempt to bring the control back in-house, through the deployment of new technologies, such as integrated security appliances. Under the managed services approach, a lack of visibility means that in-house IT departments only ever find out about big issues and successes. They never tend to receive day-to-day information. This means that the company cannot learn from its mistakes and tweak security policies to match new threats.
This year, financial services company JP Morgan Chase cancelled an IBM outsourcing deal worth five billion pounds in an effort to keep services in-house. Cable & Wireless did the same. No doubt 2005 will see the business case of outsourcing questioned further, you only have to look at recent news headlines for evidence of this.
It is widely acknowledged that an IT manager’s biggest security management issue is email. According to the 2004 DTI PricewaterhouseCoopers Information Security Breaches survey, email still constitutes the biggest virus risk by far, with 83% of companies admitting that they had received infected emails and files in the past year.
But many companies are still missing a trick when it comes to effectively managing and securing email. Third parties are so paranoid about customers receiving a virus because it’s built into their contract, that they end up holding onto messages for eight, twelve, or even sixteen hours to ensure they are clean before they release them. Similarly, over-aggressive spam filters often mean that legitimate emails do not make it through, which has a detrimental effect on business.
Building on past mistakes, the integrated security appliance was built to be easy to use and manage in-house while bringing control back to the customer. Unlike the outsourcing model, where by an outsider creates the policy, it allows the user to apply their own policy as and when they want, according to the nature of threats that are occurring on the network. This makes it more relevant to the nature of their business and does away with the one-size-fits-all approach. Security threats change daily and policies need to reflect this.
An appliance is built for ease of management; any organisation can deploy an appliance without expensive technical staff to manage it. According to the PWC survey, only one in ten companies have staff with formal information security qualifications.
An integrated security appliance has all the advantages that bolt-on products and a third-party approach bring, but none of the pitfalls. Its proactive nature means that it scans for viruses and spam 24/7 and delivers levels of protection, which organisations cannot economically achieve with other security management approaches. This reduces cost and administration over-head for organisations desperate to cut costs.
Keeping up with the sheer number and types of security threats emerging every day is no easy task. But as the new year begins, it should be every company’s new year’s resolution to ensure IT security management is one of their top priorities in 2005.
IronPort Systems are exhibiting at Infosecurity Europe 2006. Held on the 25th – 27th April 2006 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security.