I'm not going to be able to get through this column without mentioning September 11 just a few times. There, I warned you. But, while I promise to keep it to a minimum, the event and every surrounding angle have been scrutinised to pieces. So profound was its impact in jump-starting the IT security market, it is impossible to refrain from mentioning it.
One of the main effects of the attack was to deliver a wake-up call to businesses to start taking action against holes in their virtual systems. True, the holes were always there, but the potential magnitude of a disaster had not been realised until recently, when a new way by which businesses can be attacked was exposed.
Operating in a sort of counter-direction is the effect of the global economic downturn. Unfortunately, as far as the purchasing of security products goes, bottom-line issues are starting to take precedence over security the further away we move from September 11. In other words, as the economic reality kicks in, which forces IT departments to be more methodical in their purchases, security risk awareness is slowly fading away. Typically, more projects are competing for a smaller budget and there are a lot of trade-offs being made. The focus is on detailed, legitimate ROI schedules, which have in the past only been used to deliver wildly ambitious projections in a bid to win the customer.
The current climate, however, has made the emphasis on accuracy so strong that businesses are likely to want a third party to double-check and lend credibility to an ROI proposition. What's more, acceptable ROI timeframes are getting shorter: two years and under is very attractive, three years is tolerable, and anything above three years is frowned upon and in danger of being scraped from the game plan.
This mentality is infiltrating businesses across the board. In fact, the issues for the high, mid and low ends are surprisingly similar: it's simply a case of being at different points in the maturity timeline. Enterprise is about halfway down the path, experimenting with intrusion detection, while the other end of the range, small business, is still wrapped up in firewalls, antivirus and giving people remote access.
While complexity is a contributing factor to this trend, it has more to do with a shortage of manpower than a lack of technical aptitude. That said, specialists in certain pockets of the security market, especially technology niches like PKI and intrusion detection, are as rare as hens' teeth. This is building an increasingly strong case for the channel to manage security on customers' behalf, firstly with implementation, then outbreak alerts, patches and backup, and most importantly the management of distributed resources.
The MSSP (managed security service provider) model has the makings of an absolute goer, although it will become incredibly competitive. Already, small service providers are flooding onto the market contributing to something of a glut. Many of them will be snapped up by large service providers with broad customer bases to provide services in the lead-up to the introduction of the Privacy Act, which takes effect on December 21. For while the majority of what's in the Privacy Act is plain good sense, establishing a culture of privacy and security, having training and awareness programs, having things explicitly listed in the policies, and having dedicated security processes are things only an embarrassingly small number of organisations can say they have in place.
The 12 months of breathing room given by the Federal Government should therefore not be mistaken for leniency. But it certainly is an opportunity for the channel to help businesses show progress, good intentions, and that they're operating with general risk principles to avoid incurring the wrath of the Government - especially at the enterprise level.
If it looks like a challenge, it is. But, for the channel, challenge and opportunity go hand in hand.