Road trippin'
Road trippin'
Jan 01, 2005: Towards the end of last year, Microsoft, Cisco and Dimension Data embarked on a tour of Australia, the purpose of which was to impart advice as to how to create and maintain a secure enterprise IT infrastructure. Stuart Finlayson met with the Australian chiefs of the three vendors in the immediate aftermath of the final leg of the roadshow in Sydney to find out how their message was received, as well as to hear what the roadshow attendees had to say about the current state of play in the IT security market.
Despite the fact that overall IT budgets across the majority of enterprises have been either static or grown modestly in the last year or so, the security market has not suffered unduly, as spending in the sector has increased disproportionately compared to the IT spend as a whole.
Armed with this statistic, coupled with the news that security products are (apparently) getting more sophisticated, one would be inclined to draw the conclusion that incidences of security breaches would have tailed off in the last 12 months. But according to AusCERT (Australian Computer Emergency Response Team), the opposite is true. This has led customers to query why- having spent substantial sums of money on new, improved security products-they are not getting the desired results.
Gerard Florian, chief technology officer at Dimension Data, believes a vital element in the struggle to maintain a secure corporate environment lies in the attitude and actions of all employees, rather than just a few.
"The discussion to that really was around, how can we go about encouraging a security culture? How can we change those ideas that it's really up to one or two people in the IT department and everybody else doesn't need to worry about it? From senior management, executives being very aware and getting it as a board-level agenda right the way through to everyday staff, taking it very seriously when they close the door behind them as they walk into any part of the building."
The key message then, according to Florian, was to try to create and maintain good habits, but having the right equipment to deal with the various scenarios that can occur is also critical.
In this regard, Florian is of the opinion that security products are definitely getting better, but acknowledged the fact that users are actually spending disproportionately more money on security products compared to other areas of the IT infrastructure was a concern.
"The issue there for all of us is that that effectively redirects funds and redirects effort away from other more beneficial activities, be it mobile computing, e-commerce initiatives, and so forth. So we're certainly keen to see investment in security products, but at the appropriate levels."
Both Microsoft Australia's managing director Steve Vamos and Cisco's ANZ managing director Ross Fowler were keen to emphasise the importance of the three companies (Dimension Data being the third) working together to get the message out and address industry concerns.
"I think the initiative really underscores one very important point that we want to make which is that security is a very broad and very important issue. It's an industry issue and it's something that can't be solved or addressed by any one individual player.
"The reason I say that is the concerns that we face as an industry and the concerns our customers face, really span issues that encompass business process, the deployment of technology, technology itself and people and the approach that people have and the attitude that people have to security. A very basic and simple example is all of us need to [look at] our attitude towards passwords and the way we set our passwords up. Those of us that still have our dog or our daughter's name as our password should be thinking very carefully about that."
Similarly, Cisco's Fowler pressed upon the need for co-operation. "Security is really top of mind amongst our customers. We also understand very clearly that while Cisco has a key role in this, we cannot do it on our own."
The reason Cisco cannot do it on their own, says Fowler, is down to the fact that the network is but a small part of the overall security consideration, with applications, people and processes all factors in the equation.
"Certainly, Cisco Systems can provide the network solutions to security and, you know, if I can just drag an important point, this isn't just about viruses and worms and Trojan horses, this is about three issues.
"It's about privacy, so it's about keeping your data and information private. It's about control, so it's about managing the attacks that come in from viruses, Trojan horses and worms. And the third issue is the control, which is about trust and identity. And those three things, the privacy, the protection and control, need to be delivered in security solutions in an equal balance."
Fowler earmarked Cisco's latest approach to security- dubbed the "self-defending network"-as an important tool to deal with the ever quickening rate of Internet-based attacks.
"The reason [the system] needs to be "self-defending" is these attacks are coming much more quickly. If you look at the first generation of attacks, they spread around the world in a matter of days. The current generation, which is the third generation, spread around the globe in minutes-Slammer spread around the world in about fifteen minutes. The fourth generation will spread in seconds, so organisations that don't have a coherent end to end security strategy will be unable to cope with these, which is why we need this cooperation between the system integrators, such as Dimension Data, the applications providers, such as Microsoft, and [networking companies such as] Cisco.
"We recognise that no single vendor can address all the issues and that this truly is an industry issue. But I think the same applies to companies. I've seen too many companies that focus purely on what they're doing and they haven't taken a holistic approach. And that's why the debate, analysis, the evaluations from a technology and a people and process point of view needs to be lifted up in the organisation."
Dimension Data's Florian concurs with that viewpoint, but believes we remain some way away from that type of company-wide security awareness and responsibility being commonplace.
"I think, in the corporate sector, there is still a lot of work to be done at the board level to get people to realise the impact. When security is sponsored by a senior executive, that organisation does a much better job of mitigating risk.
"As we talk about this culture thing, my favourite analogy is from my kids. When I get in the car these days, everyone down to the three year old says "Dad, put your seatbelt on." It's become so ingrained, that safety matters. How do we get to the same point from an organisational point of view with security matters, so people don't put a chair against a door to hold it open, or share a password with somebody else so they can get in? The big message is, again, to try and get it out to as broad a part of the business as possible, that security is everyone's responsibility."
Related Article: