The plethora of security technologies on the market is enough to overwhelm even the most knowledgeable IT managers, but in sorting through all of the options, it may be helpful to look at what is not needed. That's according to research from Gartner, detailed this week at its IT Security Summit conference in London.
The list of security items a company probably doesn't need within the next five years includes personal digital signatures, quantum key exchanges, passive intrusion detection, biometrics, tempest shielding (to protect some devices from emanating decipherable data), default passwords and enterprise digital rights management outside of workgroups, according to Victor Wheatman, vice president and research area director at Gartner.
"You have to be aware of what the over-hyped technologies are. You don't need personal digital signatures, because in most cases, an electronic signature will be enough and in terms of biometrics, you won't need that unless your company is using airplane pilots or has high level executives who won't or can't remember passwords," Wheatman says.
Wheatman also singled out "500-page security policies" and security awareness posters as things an IT manager would be better off not spending company resources on. "You do need security policies, but not ones so large that no one reads them. It is also important to have a business continuity plan. We got a lot of calls when the hurricanes came through Florida, but for the most part, that was a little too late."
IT managers need to be much more proactive about implementing systems that work correctly in the first place, rather than spending the time and money on fixing problems after the fact, Wheatman says.
Software need not have flaws and IT managers need to challenge their vendors to make safer software, otherwise the security costs within the industry will simply continue to grow.
"We've been in the biggest beta test in history and this test is still going on: It's called Windows," Wheatman says. "Longhorn will fix some of the problems [within Windows], but it isn't a full solution and flaws will remain. Our studies have found that it is three- to five-times more expensive to remove software defects after the fact. Why not get it right to begin with?"
A company should demand proof that a software product it buys is safe and make sure that the vendor has reviewed the code of the software with security in mind, he says.
By 2006, Gartner is projecting that when it comes to software and hardware, a company will be spending between 4 percent and 5 percent of its IT budget on security. That number could jump as high as 6 percent to 9 percent when staff and outsourcing services are factored in. But the IT departments that spend most efficiently on security, even if the expenditure is between 3 percent and 4 percent of the IT budget, could actually be the most secure, Wheatman says.
Martin Smith, the managing director for the security consultation company The Security Company (International) said in a separate speech that Wheatman may have been too quick to dismiss some basic items such as security awareness posters and security policies, because users need a clear framework that some of those items can provide. But he did agree with Wheatman that IT managers need to establish a road map for keeping IT systems secure.
"In IT security, do the stuff that's quick and easy: Passwords, training and awareness in the areas that matter. The basic half dozen technologies you need are there," Smith says.
Perhaps most importantly, an IT manager needs to demonstrate to the executives within the company how to take better advantage of the systems it already has through the use of security.
"We have an appalling absence of basic management metrics for our trade. If you can measure a problem accurately, you have the Holy Grail," Smith says. "But what you also must have is a champion at the board level. Without senior level support, nothing will ever happen and you are doomed."
E.M.F. Coyer, infrastructure consultant with the Dutch company Wegener ICT Kranten, welcomes the advice from both Wheatman and Smith. Coyer says that she spends much of her time trying to sort though the variety of software security options as efficiently as she can, and that one of the primary reasons for attending the Gartner event was to keep up to date on security trends. But another priority was to learn how to speak to the executives within her company in a language that they can understand.
"It is important to hear the technical stuff, to know what the trends are; but what I find most useful is the message, and how to deliver that message in a way my bosses and the other nontechnical people within the company can understand and can support," Coyer says.