Illena Armstrong asks if the big IT vendors can re-engineer themselves for security in light of today’s pressing business needs
In today's shaky economy, IT security has become one of the more desirable markets in which to compete. No longer reserved for a handful of infosec specialists, vendors of operating systems or network infrastructures are jumping into the fray. The motivation for such moves is plain - everyone uses the internet and computers to conduct business, so sooner or later everyone will need security.
Now, with so many security solutions on offer, deciding which ones prove best for their networks becomes an even more difficult conundrum for enterprises to address, and just how much trust they should give to the big boys turns out to be an important factor in solving it. With the likes of Microsoft, Cisco, Computer Associates (CA) and many others jumping onto the security bandwagon with an increasing number of highly marketed security solutions in hand, C-level executives are being forced to answer an important question: Should they rely on the big players or stick with vendors who have always focused on security?
"Large corporations such as Microsoft and Nortel are finding there are only so many people you can sell operating systems or network infrastructures to - in the current tough economy they are looking for other avenues. By adding security to their portfolios, it gives these corporations another string to their bows," says Gary Jones, security analyst with MIS Corporate Defense Solutions, an independent IT security consultancy firm in the U.K.
But, as these companies tend to focus on their own infrastructures and really "have no idea how to deal with security," they will continue to fight an uphill battle to gain enterprises' trust.
Potential customers cannot expect "instantaneous results" from bigger players, contends Gary McGraw, CTO of Cigital, a leading provider of solutions to speed the development and delivery of high-quality software. But while in the past the likes of Microsoft have been criticized for marketing hype, this time around they and others like them seem to be getting serious about security in the eyes of many, he adds.
At the center of the storm
Too many threats to critical infrastructures connected to the internet abound nowadays, and making infosecurity part of the corporate landscape is critical. To do this right, says McGraw, more secure systems must be built, rather than just adding more and more security products to systems.
He notes that customers from all the main verticals want better security built into network and OS solutions. Financial institutions, government entities and others now say they are not going to buy "insecure junk" anymore. "So, hopefully," he adds, "this is a change and people will start to view security less as a cops and robbers game and more as an architecture game."
Microsoft, the OS vendor seemingly at "the center of the tornado," is banking on these consumer demands with their much publicized Trustworthy Computing effort, says Bob Lonadier, president of RCL & Associates, an analyst and consulting firm. And while Cigital's McGraw believes the behemoth company is serious about security this time around (though he readily points out that what's driving Microsoft into the security market "is what has always driven Microsoft - the market"), others like Lonadier remain fully skeptical. To Lonadier, the company is simply beefing up the perception that it is beefing up security.
Looking out for the bottom line
"It may sound cynical," he says, "but I think it'll be business as usual until their bottom line is affected by all this. Despite the best intentions of groups within Microsoft to do a better job with security and security education, the incentive to change is not going to be there until it affects their wallet. It's just too hard to turn the battleship around at this point and, unfortunately, market forces still encourage releasing vulnerable code because of the time-to-market advantage."
Microsoft's Jeff Jones, senior director for Trustworthy Computing, says his company is viewing security more holistically than ever before, however, and more so than other players like IBM or CA. Microsoft has realized that the best way to secure infrastructures is to improve security "in all products, not just security products. Microsoft's commitment is long-term because it's where our customers what to go," he adds, noting that while they have "taken some pain" for how many fixes they have been forced to release for their many products, future offerings will have better designs.
Microsoft is far from being the only large company to begin offering security solutions or integrating security features with existing products. IBM's acquisition of Tivoli enabled the company to gain a strong position in the security market, says RCL's Lonadier. By incorporating access and identity management capabilities into their solutions, the company has strengthened the security of existing tools and has developed a better calling card in regard to services on offer, he notes.
Other companies, like Cisco and CA, have demonstrated their support for security with top-level executive announcements. In the case of CA, chairman and CEO Sanjay Kumar announced the company's security goals last year. They re-branded their family of products for their 25th anniversary and, in 2002, started marketing eTrust 20/20, a product that offers a visual picture of physical and IT security events.
CA's Ron Moritz, senior vice president of eTrust Security Solutions and former CTO of Symantec, says the security talk falling from the lips of leading players is not a string of "lightweight words." Triggers like 9/11, increasing numbers of complex threats, the need for scalability of systems and the sheer enormity of corporate IT infrastructures have brought security issues to the fore. "Security, as it becomes something that everybody must participate in, has to move from a tactical function to a strategic function," he notes.
Cisco, whose president and CEO John Chambers recently announced that the company will dedicate about 40 percent of a $3.3 billion budget to improving and developing security products and integration, is yet another big boy focusing on taking a holistic approach to IT security. Across all systems and platforms of a company's infrastructure, the key is to transition from security product to security system, says Jeff Platon, senior director of marketing for security at Cisco.
Moving to secure networks
Noting that the company has been in the business for some 12 years, he says that he, and others like Microsoft, are trying hard to solve security problems, but they cannot do it on their own. Cisco, he adds, is simply trying to do its part, but organizations offering IT and IT security solutions must work together. And, in the end, his company and all the rest will need to help move the security industry from a pool of simple detective, reactive technologies to preventative, secure-aware networks.
"Security is a part of customers' expectations today that just aren't being met," he says. "Businesses realize that security is not an IT issue, it's a business issue."
To RCL's Lonadier "security is most effective when it's embedded as part of the fabric of a solution." That is, security mechanisms are doing what they need to do in the IT network background to avoid worries of addressing such concerns later in the foreground. Operating system and infrastructure vendors are, in many ways, uniquely positioned to address this need. But many of the big boys seem to be missing a key opportunity - highlighting security preparedness in practical ways.
"Security as an enabler [of business initiatives] is sort of the 'holy grail' in the right way to think about security," he says. The large companies now making big plays in the security space will need to do a better job of talking about this fact and provide more and better information about the actions corporations can take to secure their widening networks of users.
Illena Armstrong is U.S. and features editor for SC Magazine