The Only Security Certainty: Things Are Changing Rapidly

Carl Weinschenk

Everett Dirksen would be proud. The senator from Illinois famously said during a budget debate that "a billion here and a billion there, and soon you're talking about real money." Dirksen's line must have come to more than a few minds with IBM's announcement that it will support its new security initiative with $1.5 billion in spending next year.


The company's goals and procedures are summed nicely in this report. Security vendors -- and, presumably, their customers -- have given up the ghost of trying to protect everything. The new narrative, and one that really makes a lot more sense, is to manage risk. The admission that while this does make more sense, it concedes a certain level of inherent danger is put this way in InformationWeek:

[IBM's approach] involves looking at security as a finite set of controls that are being monitored rather than an effort to lock up everything.

One of the big reasons that the goal of security vendors is becoming a tad more conditional is the growing sources of danger. For instance, it now is possible for a computer user to get his PC -- and the corporate network to which it is attached -- into big trouble just by visiting a particular site. It's hard to offer certainty in such a world.


That doesn't mean companies aren't trying. Last week, according to Computer Business Review, McAfee agreed to buy ScanAlert, a company that audits and certifies Web sites. The company will become part of McAfee's SiteAdvisor service which, as the name implies, alerts surfers on the wisdom of visiting particular sites.


Security analystBruce Schneier undoubtedly is a smart guy. He probably gets as much press as he does, however, because he also is quotable. This Tech.Blorge report on a teleconference Schneier participated in reinforces the idea that security is increasingly uncertain. Schneier says many products today only provide "the feeling" of security based on selling assurances to a fearful public. He labels this verisimilitude "security theatre" and says it enables poor products to crowd out those that are far superior.


Schneier offers four clever premises that can lead to an understanding of network dynamics and, possibly, savvier security purchases. He says the more valuable a network is, the more likely it is to be dominated by bigger firms; software is a high fixed cost/low marginal cost business; the cost of switching software providers is so high that users tend to stay with their current vendors; and software is a market in which buyers know much more than sellers about products.


More evidence that today's security is, in essence, a best-effort undertaking is the growth of security event management (SEM) tools. This very nice overview at describes the sector. These products ride herd over a wide variety of security devices, correlate data and assess where the greatest threats are from. The takeaway is that these clearly are powerful tools but, judging from that definition, are fallible. The biggest players are ArcSight, ESM, CA eTrust, ExaProtect, Security Management System, IBM Tivoli Security Event Manager, Intellitactics Enterprise Security Management, netForensics NFX Open Security Platform, Network Intelligence and NetIQ Security Manager, the story says.


The link between compliance and security also is growing. It was a rationale for the IBM initiative and the main focus of BearingPoint's introduction last week of its Compliance and Security Solution Suite. The suite of services addresses credit, operational and market risks. The company also says the suite helps organizations conform to financial and accounting regulations. Security services, including those related to information security and identity management, are accomplished using biometrics, radio frequency identification (RFID) and other technologies.


The bottom line is that security is changing drastically. On one level, the meeting of security and compliance is opening up the formerly closed silos of security data and applications. Perhaps more importantly, the increasingly porous nature of the Internet -- which is crawling with remote and mobile workers and interactive (and sometimes malicious) Web sites -- is leading people to finally realize that total security is a true impossibility.

Add Comment      Leave a comment on this blog post
Nov 6, 2007 7:40 AM Jason Holloway Jason Holloway  says:
Those chasing total security are assured only of total failure.Whether a multinational enterprise or a governmental organization, we all have to take a pragmatic approach to security, balancing costs (in time, resources and dollars) against risks. This is just as true for (Information/IT) Security as for other aspects of security.We can start by making better use of the knowledge, tools and logs we already have, as Dan Geer brilliantly illustrated in this recent Usenix presentation on Measuring Security: organizations fail to properly measure their current security status and risk exposure. Just doing this 'reasonably well' requires strong commitment from different divisions and senior management, coupled with educated/trained personnel and the right tools and processes. It is not an overnight job and it is by no means easy.We regularly cover a number of these topics in our 'Security Management News' newsletter. We invite you to read this at: up the great work.Kind regards,Jason. Reply
Nov 6, 2007 7:42 AM Jason Holloway Jason Holloway  says:
Agh!!I included fake tags around the last paragraph of my previous post to signify it was an obvious plug. These appear to have been stripped.Apologies. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.