It is said that the technology at the heart of IT changes at a bewildering pace, and it is reckoned by many observers that the changes are taking place at an accelerating rate. Indeed, a quick glance over the happenings of the past few years tends to bear witness to the rapid rate of change in IT and how business now utilises computer based systems in almost every area of operations. Whilst some technologies are adopted at a frighteningly quick pace, more mundane matters, most especially IT security, continues to be run haphazardly in many organisations or is effectively ‘swept under the carpet’.
Why is it that “IT Security” as a whole is still a fragmented mass of discrete parts that take incredible patience and effort to get working as a whole? Indeed, from a ‘systems’ or ‘quasi-architectural’ point of view, little in security appears to have changed significantly in the last decade or more. In many respects April’s Infosec show in London highlighted that whilst individual security products evolve at an astounding rate, there appeared to be few offerings looking to combine a wide range of solutions into simple packages for end customers to procure.
Security solutions are still mostly sold as discrete products covering everything from basic malware protection and firewalls, through data loss systems and encryption, up to intrusion detection solutions / behaviour monitoring and forensic analysis. Plus everything in between! Whilst some vendors have begun to bring together ‘suites’ of ‘integrated security solutions’, the majority of these still encompass only a small subset of the bemusing array of protection that organisations require to guard themselves against an increasingly sophisticated range of threats, both economic and intellectual.
The potential consequences range from the mundane, e.g. increased costs and time required to perform routine management tasks, to the dangerous, most pointedly increased exposure to business risk as security holes remain open due to the overlapping complexity of multiple solutions not fully addressing challenges.
But the problems lie not just on the side of the vendors. Enterprises are equally at fault. Most large organisations buy IT security as separate components, with different departments responsible for separate stacks of the security picture. This is the case even in companies where there is a ‘security’ department with a specific role to oversee the ‘big picture’.
And in many enterprises it is likely that IT is often left to make decisions that really should be taken by line of business managers, or better yet by business and IT working together. The problem is that in many organisations there is a distinct reluctance for business managers to get involved in IT security as they really don’t want to take responsibility. The way budgets work, IT staff often end up having to make piecemeal decisions on security solutions.
Budget silos mean that little planning or finance is made available to consider the big picture, which is all about how the intricate web of IT systems fit together and how the entire stack needs to be secured. Much of the way IT security is funded is a direct consequence of IT not understanding the ever-changing nature of the threats to which the organisation is exposed and IT staff not being able to adequately explain the problems to be addressed.
But as more systems are integrated together, often by direct connections, it is becoming ever harder for stressed IT staff to see how things link together. This also means it’s becoming ever harder to work out just what the security implications are when IT is being chased to make decisions. As a result, there’s also little scope to manage the change processes securely.
Throw into the mix senior business managers seeking to use a seemingly ever-expanding portfolio of devices, be they tablets, slates and smartphones, the security challenges are escalating day by day, or at least year by year. And that’s before we’ve even taken into consideration that some of these devices may not even be procured or directly managed by the enterprise.
So if neither the business itself nor hard pressed IT staff have either the time or the inclination to take the ‘big picture’ overview of security, and the majority of IT vendors appear happy to continue selling siloed IT security systems with little integration between discrete stacks, it appears that channel partners will be the only way organisations are likely to be able to get a better handle on overall IT security.
In particular, there is an opportunity for the channel to educate customers on how to implement comprehensive IT security. This should start with training both business managers and IT staff on how to identify and quantify security risks, and must include educating end users on why IT security matters. Without such understanding – as history shows – users will seek to side step or completely ignore ‘security’ measures, be it in IT or any other area, especially if they think something slows them down or ‘gets in their way’.
This will not be easy, but it is clear that many organisations are running IT systems that are much less secure than is required. There are plenty of opportunities for channel partners to sell solutions, but the customer base needs to be communicated with in terms of risks and benefits for comprehensive solutions, not just about individual product features and capabilities.
Tony is an IT operations guru. As an ex-IT manager with an insatiable thirst for knowledge, his extensive vendor briefing agenda makes him one of the most well informed analysts in the industry, particularly on the diversity of solutions and approaches available to tackle key operational requirements. If you are a vendor talking about a new offering, be very careful about describing it to Tony as ‘unique’, because if it isn’t, he’ll probably know.