- Email: [email protected]
IT security – commoditized, badly
c o l u m n
Brian Honan
IT security – commoditized, badly Brian Honan Information security is not just IT security. The better we understand that, the better off we'll be.
ttending this year's Infosec show, it struck me that security has become the new golden goose for the IT industry.The acres of expensive exhibitor stands, the professional presenters and the prevalence of suits as the preferred attire for the attendees showed that information security is now an issue for senior IT and business executives, as well as IT vendors.
A
After lean years post-Y2K and the dotcom bust, it appears that IT security is providing IT service suppliers, vendors and resellers with a new market from which to extract more money.A few years ago trying to find someone with information security expertise was difficult; nowadays it appears that every reseller, vendor and consultant is offering solutions and advice to companies on how to secure their computing infrastructure.The company that sold you printers a few years ago will now also sell you security solutions. In addition, press interest in information security is increasing in both industry and mainstream, judging from the increase in the number or title and column-inches devoted to the subject.
In my experience, information technology, and not just information security, is still viewed by many businesses, particularly in the SME sector, as a necessary evil. Far from a Big Bang, they see IT as a black hole from which they get no bang for their buck.
“There are vendors, consultants and resellers who see an opportunity to make money.” The core of the problem is the lack of distinction between IT security and information security.At its most basic, IT security is simply about protecting the IT infrastructure and ensuring its availability. Simply put, if it breaks, fix it. Information security is about ensuring the information the company relies on is protected and available within acceptable levels of predefined risk.That information can take many forms, with more and more of it being stored electronically on the IT infrastructure. But this does not mean that information security and IT security are one and the same. Now, there are vendors, consultants and resellers who see an opportunity to make money, but who may themselves not fully understand the
difference between information and IT security. We now have a situation where everyone knows IT security is an issue but few understand properly the subtle intricacies. Too often the focus is on the symptoms of the problem rather than the underlying cause.This means everyone looks for solutions without actually understanding and addressing the problem.Vendors and resellers are only too happy to sell products and services which provide solutions; that is their job. But if the underlying problem is not properly identified and addressed then these solutions are merely Band-aids on a broken leg. Increasing awareness of information security among business and IT professionals can only be a positive thing. But this needs to be tempered, directed and managed.We need to step away from the product hype and the scare stories and remind ourselves what it is as information security professionals we are trying to achieve. We need to ensure that people don't focus solely on technological solutions but also incorporate the other key elements of a good information security architecture — people and processes.A holistic view of information security will help us all ensure the goose will keep on laying those eggs.
•
About the author Brian Honan is senior consultant with BH Consulting, an independent consulting firm based in Dublin Ireland. He provides clients with advice on how best to deploy, manage and secure their information infrastructure.
Infosecurity Today September/October 2006
Surely commoditizing IT security and increasing awareness of the issue can only be Good Thing? Sadly, I am finding the opposite to be true.
Small business owners in general do not understand the principles of IT, let alone information security.They understand other risks facing their business, such as theft or fire, as they have tangible references based on experience. But information security is not so tangible.They see it as a technology problem. Compounding the issue, most IT professionals treat it as a technical problem that requires a fix rather than a process to manage continually.
41
Brian Honan
IT security – commoditized, badly Brian Honan Information security is not just IT security. The better we understand that, the better off we'll be.
ttending this year's Infosec show, it struck me that security has become the new golden goose for the IT industry.The acres of expensive exhibitor stands, the professional presenters and the prevalence of suits as the preferred attire for the attendees showed that information security is now an issue for senior IT and business executives, as well as IT vendors.
A
After lean years post-Y2K and the dotcom bust, it appears that IT security is providing IT service suppliers, vendors and resellers with a new market from which to extract more money.A few years ago trying to find someone with information security expertise was difficult; nowadays it appears that every reseller, vendor and consultant is offering solutions and advice to companies on how to secure their computing infrastructure.The company that sold you printers a few years ago will now also sell you security solutions. In addition, press interest in information security is increasing in both industry and mainstream, judging from the increase in the number or title and column-inches devoted to the subject.
In my experience, information technology, and not just information security, is still viewed by many businesses, particularly in the SME sector, as a necessary evil. Far from a Big Bang, they see IT as a black hole from which they get no bang for their buck.
“There are vendors, consultants and resellers who see an opportunity to make money.” The core of the problem is the lack of distinction between IT security and information security.At its most basic, IT security is simply about protecting the IT infrastructure and ensuring its availability. Simply put, if it breaks, fix it. Information security is about ensuring the information the company relies on is protected and available within acceptable levels of predefined risk.That information can take many forms, with more and more of it being stored electronically on the IT infrastructure. But this does not mean that information security and IT security are one and the same. Now, there are vendors, consultants and resellers who see an opportunity to make money, but who may themselves not fully understand the
difference between information and IT security. We now have a situation where everyone knows IT security is an issue but few understand properly the subtle intricacies. Too often the focus is on the symptoms of the problem rather than the underlying cause.This means everyone looks for solutions without actually understanding and addressing the problem.Vendors and resellers are only too happy to sell products and services which provide solutions; that is their job. But if the underlying problem is not properly identified and addressed then these solutions are merely Band-aids on a broken leg. Increasing awareness of information security among business and IT professionals can only be a positive thing. But this needs to be tempered, directed and managed.We need to step away from the product hype and the scare stories and remind ourselves what it is as information security professionals we are trying to achieve. We need to ensure that people don't focus solely on technological solutions but also incorporate the other key elements of a good information security architecture — people and processes.A holistic view of information security will help us all ensure the goose will keep on laying those eggs.
•
About the author Brian Honan is senior consultant with BH Consulting, an independent consulting firm based in Dublin Ireland. He provides clients with advice on how best to deploy, manage and secure their information infrastructure.
Infosecurity Today September/October 2006
Surely commoditizing IT security and increasing awareness of the issue can only be Good Thing? Sadly, I am finding the opposite to be true.
Small business owners in general do not understand the principles of IT, let alone information security.They understand other risks facing their business, such as theft or fire, as they have tangible references based on experience. But information security is not so tangible.They see it as a technology problem. Compounding the issue, most IT professionals treat it as a technical problem that requires a fix rather than a process to manage continually.
41