The headlines are scary for both CIOs and the companies they work for. "Stolen Computer Holds Information of 16,000 Driver's License Holders," "Vulnerability Auctions Killing Responsible Disclosure," "Hacking for Dollars: Is The Botnet Battle Already Lost?" "Online Brokerage Account 'Incursions' Worry SEC."
New security threats arise everyday. CERT, a federally funded research and development center operated by Carnegie Mellon University, reported almost as many security vulnerabilities (5,340) in the first six months of 2006, as occurred in all of 2005 (5,990). And according to the CSI/FBI Computer Crime and Security Survey for 2005, the average loss per respondent for unauthorized access to information was $303,234 in 2005, up from $51,545 in 2004; and the average loss per respondent for theft of proprietary information was $355,552 in 2005, up from $168,529 in 2004.
Product du jour
Corporate IT's answer to the problem thus far has been to throw more devices and software at the problem. Security started first outside the network with boxes to stop denial-of-service (DoS) attacks. Then we progressed to intrusion detection systems(IDS) that were marketed as a "burglar alarm" for networks - a device that monitored for unauthorized access and, if it didn't stop hackers cold, at least alerted the appropriate authorities. Add to this appliances such as VLANs, routers and firewalls to manage network traffic, and then finally anti-spam, anti-spyware and anti-virus software and you can see why research firm Forrester reported that security budgets often account for as much as six percent of total IT budgets.
These point solutions have proven deceptively detrimental to consistent and broad security levels. According to Forrester, CIOs "look for products with the richest feature set and most advanced technology. While this may be a reasonable strategy for product evaluation, it leads organizations to select products that either don't integrate well into their environment or are technically immature." Of course, this also leads to an increase in their total cost of ownership, as companies not only pay for the latest products, but then also must integrate and manage these products in an increasing complex infrastructure.
Think it's not really that complex? Gartner tracks a variety of categories within the security space, including vulnerability management, automated penetration testing, security policy development tools, audit logging, consumer authentication, intrusion prevention, centralized authorization, security configuration management, and enterprise role management - to name a few. Vendors within each of these categories are pushing their products and solutions on increasingly panicky IT managers and security managers, forcing them to weed through the crisis du jour and product du jour, in order to create a secure network. In fact, a February, 2006 study by TheInfoPro finds that Fortune 1,000 information security managers routinely consider up to 92 different security vendors in their purchase decisions and security deployments.
We're from the government, we're here to help
As companies scramble to keep up with security, a regulatory environment that imposes strong requirements on IT systems has also emerged. Since the market had repeatedly demonstrated that minimal levels of security were not in place in even the largest organizations, some external pressure was needed to improve the situation. Regulations were needed to establish a baseline for organizations for both security reasons and also to ensure the fidelity and protection of critical data. However, in an overzealous turn of events these regulations have become overlapping, complex, and costly to implement and maintain. And it's not just a single one that companies have to worry about. Most organizations that are subject to one regulation are in fact burdened with the headache of complying with a several others as well.
The time and budget spent to maintain compliance is considerable. According to Gartner in 2006 IT financial compliance management spending will rise to between 10 percent and 15 percent of IT budgets.
Are you more secure today than you were last week?
The reality is, businesses are no more secure today - with all of their various security and vulnerability management devices and software, and regulations - than they were before. Every day employees or other miscreants break through internal or external gateways, web applications, databases and more, gaining total access to financial, personal and corporate secrets and information. In fact, 34 percent of respondents to a Forrester survey about data protection reported at least one personal data breach in 2005.People are crafty, and motivated adversaries and their never-ending antics and intrusions into corporate networks leave CIOs constantly scrambling to plug the breaches in the dikes.
Despite the fact that we're still suffering from the same litany of basic security problems we faced 10 or even 20 years ago, organizations continue to focus on buying the latest and greatest technology to stop the newest and most widely reported threats, rather than ensuring that the basic security best practices and policies are being observed and adhered to.
Optimizing security policies to meet business objectives
Companies need to begin considering security as part of business process and policy, aligning their governance, compliance and risk management activities to drive business performance and directly affect business outcomes. This means that companies must meet business needs while doing the best possible job of protecting their networks - creating high-level security policies that can then be translated into desired security states on each and every affected machine on the network. The idea of optimizing your security policies and procedures is really no different than optimizing your supply chain or your ERP software. It starts with going back to basics and taking a holistic overview of the business, identifying important assets that have critical problems that are likely to occur.
Closing the policy gap
The security industry has responded to this concept in the way we've come to expect - by introducing a dizzying array of products designed to link business-based IT objectives with measurable results. However, current offerings have all targeted very narrow aspects of this enormous challenge and this silo approach has forced administrators to attempt to manage security policies through organizational integrations and costly and resource-intensive manual workarounds. The result is a policy implementation gap that leaves most organizations exposed to significant risks.
What security administrators actually need is an integrated solution that lets them meet their broad-based security objectives in dynamic, real-world enterprise environments, a solution that allows them to see their network including the up-to-the-moment security posture of every machine. This way, security administrators could achieve their business goals by quickly translating high-level security policies into the desired security states on each and every user and critical business system on the network.
In addition to security solutions that help organizations focus resources on critical systems, regulations need to be streamlined and simplified. The overlaps should be eliminated and regulations should be constructed as a system that builds one upon the other, making it easier for companies to understand and maintain compliance.
Organizations need to seek solutions that go beyond a single regulation or problem, and seek those that provide a broader and more comprehensive approach to best practices and compliance while allowing them to keep track of the plethora of point solutions that they already posses. This would allow for a flexible yet responsive approach that would meet not merely today's security environ but would try to lay a security foundation that would try to anticipate future demands from lawmakers, customers and the organization itself.
-Dan Farmer is cofounder and CTO of Elemental Security.