Everett Dirksen would be proud. The senator from Illinois famously said during a budget debate that "a billion here and a billion there, and soon you're talking about real money." Dirksen's line must have come to more than a few minds with IBM's announcement that it will support its new security initiative with $1.5 billion in spending next year.
The company's goals and procedures are summed nicely in this News.com report. Security vendors -- and, presumably, their customers -- have given up the ghost of trying to protect everything. The new narrative, and one that really makes a lot more sense, is to manage risk. The admission that while this does make more sense, it concedes a certain level of inherent danger is put this way in InformationWeek:
[IBM's approach] involves looking at security as a finite set of controls that are being monitored rather than an effort to lock up everything.
One of the big reasons that the goal of security vendors is becoming a tad more conditional is the growing sources of danger. For instance, it now is possible for a computer user to get his PC -- and the corporate network to which it is attached -- into big trouble just by visiting a particular site. It's hard to offer certainty in such a world.
That doesn't mean companies aren't trying. Last week, according to Computer Business Review, McAfee agreed to buy ScanAlert, a company that audits and certifies Web sites. The company will become part of McAfee's SiteAdvisor service which, as the name implies, alerts surfers on the wisdom of visiting particular sites.
Security analystBruce Schneier undoubtedly is a smart guy. He probably gets as much press as he does, however, because he also is quotable. This Tech.Blorge report on a teleconference Schneier participated in reinforces the idea that security is increasingly uncertain. Schneier says many products today only provide "the feeling" of security based on selling assurances to a fearful public. He labels this verisimilitude "security theatre" and says it enables poor products to crowd out those that are far superior.
Schneier offers four clever premises that can lead to an understanding of network dynamics and, possibly, savvier security purchases. He says the more valuable a network is, the more likely it is to be dominated by bigger firms; software is a high fixed cost/low marginal cost business; the cost of switching software providers is so high that users tend to stay with their current vendors; and software is a market in which buyers know much more than sellers about products.
More evidence that today's security is, in essence, a best-effort undertaking is the growth of security event management (SEM) tools. This very nice overview at ComputerWeekly.com describes the sector. These products ride herd over a wide variety of security devices, correlate data and assess where the greatest threats are from. The takeaway is that these clearly are powerful tools but, judging from that definition, are fallible. The biggest players are ArcSight, ESM, CA eTrust, ExaProtect, Security Management System, IBM Tivoli Security Event Manager, Intellitactics Enterprise Security Management, netForensics NFX Open Security Platform, Network Intelligence and NetIQ Security Manager, the story says.
The link between compliance and security also is growing. It was a rationale for the IBM initiative and the main focus of BearingPoint's introduction last week of its Compliance and Security Solution Suite. The suite of services addresses credit, operational and market risks. The company also says the suite helps organizations conform to financial and accounting regulations. Security services, including those related to information security and identity management, are accomplished using biometrics, radio frequency identification (RFID) and other technologies.
The bottom line is that security is changing drastically. On one level, the meeting of security and compliance is opening up the formerly closed silos of security data and applications. Perhaps more importantly, the increasingly porous nature of the Internet -- which is crawling with remote and mobile workers and interactive (and sometimes malicious) Web sites -- is leading people to finally realize that total security is a true impossibility.