IT Security: Business understanding is our challenge
The biggest problem in IT security, and its success either as a practice or in simple (or should that be complex) sales volumes is business understanding. The simple fact that we're faced with is that by far and away the majority of firms do not recognise investing in security in the same way as they do in IT operations.
The irony is that underinvestment or the wrong approach to security is not only likely to be a waste of money but also completely inadequate to tackle the the problem, which is only really understood by a few in the first instance. To make this worse, no one really knows how to measure success in IT security - or very few actually think about defining the objectives of a security investment and how these are measured and sustained.
In some ways, I think we, the security resellers and industry experts, are to blame for this huge void in understanding of the value of security in business. Why do I say this? Well, in one word, firewalls.
The humble firewall is the first line of defence in IT and everyone has one. It's taken for granted in every network design that it's required. They've featured in films, even been the title of one with Harrison Ford and Paul Bettany starring in the lead roles. How many times can you recall the word firewall being used in modern films? How many times do the heroes have to blast in through the firewall, then are suddenly at leisure to do what they want? Quite a few I'd imagine. Shouldn't this mean that if they ALWAYS get past the firewall, more defences are required inside the network? (now there's a thought...) So it's no surprise that this security device is always there, and it's just one of those things the board knows need to be put in place; but, I wonder, do they actually know what it does or if it's used to the best effect? And what happens if it is circumvented?
If the firewall has this unanimous recognition, why is it then that the investment and understanding stops here? Well, I don't think we as security experts have really used the opportunity created by the fame of the firewall and explained how security is in layers, starting with the firewall. It's very easy to get into complex terminology and technical language as the nature of IT security is all about code weaknesses, and we shouldn't be surprised we end up talking in jargon. HIPS, IPS, DLP, AV, PFW, NIDS..... so no wonder it's not understood - and I think with our techno-speak we also scare people off.
There is most definitely a requirement and necessity for security beyond the firewall, but we just need to explain the practice and benefits in a more appealing and meaningful way. Currently, I think the industry relies too much on compliance to force the security technologies in to the network and short-changes on taking time and effort to explain in a language the board can understand. Credit to Palo Alto here, they've capitalised on the success of the firewall by adding in the functions of intrusion, data loss prevention and application control in such a way as to show exactly what's happening and in a more intuitive way - and more of this is exactly what is needed.
If we can move away from the acronyms, complex jargon, put into context the effects of cyber-attacks and show what's going, we've got a good chance at turning around the issue of understanding. Short of employing Harrison Ford or Bruce Willis to release yet another tedious sequel to plug our technology, we need to approach the challenge of security from a much more business-minded point of view and lose our techno blurb.
Firewall, distributed by Warner Bros Pictures, 2006.