IT security industry faces a tough 2005

This year will mark a period of reckoning for the IT security industry as spending begins to decline, Gartner has predicted.

Victor Wheatman, managing vice president at the analyst firm, told the RSA Conference in San Francisco that by 2006 security spending will have dropped to four or five per cent of corporate IT budgets. In more efficient companies it could drop lower with no harm to the level of protection, he claimed.

"It is a myth that the more you spend on security the more secure you are," said Wheatman. "2005 will be the year of reckoning for security spending. The lowest spending organisations, often the most efficient, can and will safely reduce spending to three or four per cent [of corporate IT budgets]."

The analyst suggested that the IT security industry is bedevilled by myths, including the belief that the more you spend the safer you are.

Wheatman added that it was erroneous to believe that regulation drives security spending, when in fact it is auditors who were most likely to insist on proper security set-ups.

The other key myth, according to the analyst, is that software is inherently flawed. Some IT buyers seem to accept that all software must contain errors and security flaws.

"You need to buy safer software for your applications," said Wheatman. "Software only has flaws if you buy code with flaws. Has anyone here taken part in that massive beta test of some software called Windows?"

He went on to outline those technologies which Gartner considers effective, and those that it does not.

Chief among the "must have" security items is 802.1x wireless authentication, enhanced firewalls that allow for deep packet inspection of data, and more intelligent networking technology that would check devices trying to join to see whether they were properly patched and virus free.

Other good buys included gateway antivirus and anti-spam checking, software that would perform security audits, and content filtering that blocks dangerous websites.

Physically locking down PCs within a company, and maintaining a proper business continuity plan, were also mentioned.

Of the technologies to avoid Wheatman's most surprising choice was biometrics. He maintained that hackers could beat such systems relatively easily, and that some companies which had installed biometric identification were now giving up and shutting down such systems.

Other security ideas getting the wooden spoon included default passwords, personal digital certificates and anything to do with quantum computing. He also ridiculed fads like paint that could apparently shield Wi-Fi emissions from buildings.