Bugwatch: No silver bullet for security

This week Phil Cracknell, chief technology officer at NetSurity, considers the need for continued corporate management investment in security.

Management will always believe that security is a temporary problem. They either think the risk will evaporate or that a 'silver bullet' is just around the corner.

So they spend thousands on security solutions, hoping that this time will be the last and that security outlay will reduce as legislation matures and hackers are deterred by stiffer sentences.

There is even a hope that ISPs or some other intermediary will police activities on the internet to prevent computer crime.

But let's face it, if we increased the custodial sentence for murder it wouldn't stop people being killed each year.

Taking real-life crime as an example, we have plenty of measures in place to guard against burglary, robbery, car theft, physical abuse and so on.

We also have a judicial system designed to deliver punishment - and yet these crimes still take place.

Security is here to stay. And, like real-life crime, unless you remove the targets and all motive and opportunity it won't disappear.

The current corporate security mindset results from the fact that computer-related crime is a relatively recent phenomenon, and the days when nothing was spent on information security are still within living memory.

Securing an appropriate budget to protect your organisation can be a difficult task. Like insurance, it's hard to justify the premiums until you need to make a claim.

But businesses will have to continue to upgrade and evolve their defences to stay functional.

Risk assessments are still viewed by management in a negative way. It's almost as if some evil force is trying to block the progress of the business.

Security is blamed for the excessive time taken to change business process, infrastructure and systems development, but this is because it has yet to be absorbed into company culture.

I hear all the right noises, with corporate statements and management saying "security is everyone's problem," and "we take security very seriously". But I don't see a widespread change in the way security is viewed.

The sudden international boom in security vendors and product offerings has caused some to view the industry cynically.

"Supply and demand", I hear the vendors shout, but then they embark on a massive campaign of fear, uncertainty and doubt (FUD) to increase awareness, fuelling corporate cynicism.

On balance, the vendors would probably not have to adopt such an approach if the corporate world were more responsive.

I've spread my share of FUD - that's what articles such as this are - but we live in changing times and I hope this will be remembered as an era when businesses started to take security seriously.

I try to draw parity with requirements such as physical security or insurance, and wonder if those areas had a similar battle to become accepted.

I also tire of banging the drum and think: "Why bother?" But then an opportunity arises to show someone the light and, of course, I take it.

The good news is that some businesses are doing all they should in terms of security, so maybe the message is slowly getting through.

I just hope that these firms, and all future converts, have a thorough understanding of the issues and an acceptance that security is a necessity.

And I trust that this is not because they have suffered the impact of an incursion; seen the horrors first-hand; lost money, respect and trust; and somehow managed to survive and quickly bolted the door.

I will end with a message to all corporate management, and we will see where we are a year from now ...

Businesses must invest in information security. This is not just a case of buying products, but of real investment in people, education and process change.

They will have to keep spending on security, and their costs will probably increase, because constant evolution of corporate defences is required.

This will be the case as long as there is some change, be that to the threats, risks or nature and shape of their business.