We talk to a lot of people in this industry and we listen even more.To help us understand even better, we've organized an Editorial Advisory Board of infosecurity practitioners. In this issue's cover story, they share their views on the future of IT security.
The story provides much insight on what's happening in infosec, but one area that needed a bit more focus was the issue of over-hyped technology. Some experts noted that IT security can't be over-hyped enough, given how little attention and resources it is still given. Others contended that confusion arises when marketers put too much spin on infosec problems and technology.
For example, the propaganda surrounding intrusion prevention this past year got a little out of hand, often befuddling buyers.
"I think it has a place in an enterprise's 'layers of defense' mechanisms, especially protecting critical systems, but it sometimes is touted as being more capable in a broad sense than it actually is," says Randy Sanovic of GM, who graces our cover this month. "I think IPS is still a maturing technology, and if it delivers as projected, it can be very useful in protecting an enterprise's most mission-critical and sensitive environments." But for Marc Rogers of Purdue University, IPS has just been one big disappointment.
"Despite marketing claims, it has not succeeded in significantly reducing worm or virus infestations. Most systems succeed in causing a denial of valid traffic along with the bad. IPS has similar issues to IDS, in that you have to teach the system and go through a rather lengthy process of tweaking and re-tweaking rules to arrive at an acceptable false positive rate," he argues. "Then there is the debate over network-based, host-based or hybrid IPS configurations. You still have to implement and configure these correctly or they are just another bottleneck. As other industry analysts have remarked, IPS is still too immature and is not a substitute for controlling your own network."
Among the other over-hyped technologies biometrics, PKI, database encryption and intrusion detection made the list.
"It's the year of PKI! No, wait, it's the year of smartcards. No, it's appliances! We certainly have our share of over-hyped technology in security. Seems like every year the industry has a new thing," says Computer Associates' Toby Weiss.
So what's a security technology buyer to do? He suggests having a look at what back-end system guys have always known: "We never had this problem on the mainframe, because mainframers focused on strong access controls. If we continue to ignore the most important principle of security – managing who has access to what – we will continually be sold over-hyped technology."
Illena Armstrong is U.S. editor