SECURITY: Cashing in on security

SECURITY: Cashing in on security

In the quest to protect enterprise IT infrastructure, governments around the world are embarking on major security education programs to convince businesses of all sizes of the necessity to secure data.

With the threat of cyber terrorism growing daily, governments also want to protect themselves - insecure business systems can be used to launch attacks on public-sector networks. Also, government departments and agencies, both state and federal, are looking for ways to cut costs, and an obvious way to do this is through e-procurement. However, for e-procurement to be effective, participating businesses must have secure systems.

Cutting costs is not solely a government prerogative, and more and more businesses of all sizes will be looking for ways to make themselves more cost-effective as the world slides toward recession. That in turn is expected to push many previously reluctant companies into B2B e-commerce as they realise the cost benefits it can provide in areas such as supply-chain management.

It is therefore more important than ever to ensure any e-commerce transactions and associated intellectual property are adequately protected.

Bob Hayward, Gartner's senior vice president for Asia-Pacific, says that law enforcement and security experts, particularly in Western countries, have become increasingly concerned about a possible increase in cyber assaults from extremists and their sympathisers.

"Recent worms and viruses have clearly exposed the Net's vulnerabilities, so all corporations will need to pay much more attention to computer security," he says.

IDC agrees, and says the way security is viewed is changing. Boundaries between physical and information security will dissolve, and industry and government will cooperate on critical infrastructure security, although people's privacy will of course suffer. IDC predicts that physical and information security will merge. The policy for identifying people and what security clearance they have will become paramount. "The bottom line is that security is now a mandatory consideration, not just a discretionary purchase."

While IDC's overview concentrated on the US, Hayward, in his own similar analysis, says that what happens in the US this year as a result of September 11 will seep into business practices in other developed economies in the near future.

In the US the security market is widening as governments and business start to use devices that go well beyond network-intrusion detection and require a greater degree of physical identification and authorisation before people are given access to IT infrastructure.

Nowadays, that can mean the use of smart cards, biometric technologies such as iris and retina scanners, fingerprint and hand profilers, voice and facial-recognition systems, as well as a host of other identification and authentication technologies, intrusion-detection systems and system scanners.

In Australia, companies wanting to do business with government must have approved public key infrastructure to ensure all transactions are encrypted and secure. Privacy laws that come into effect on December 21 put the onus on businesses to ensure that private data is secure.

With this scenario there should be huge opportunities for the channel.

IDC predicted pre-September that Australian business spending on packaged security software would grow from $206 million last year to $1443 million in 2005. Internationally, both IDC and Forrester Research are predicting a 300 per cent growth in the security market over the next four years.

But that doesn't mean the rewards are going to be handed to the channel on a platter.

There are disturbing signs that, despite all the recent publicity, many organisations do not understand security and have neither an established security policy nor the skilled staff to implement it.

A survey taken at the recent Information Security World 2001 found that only 55 per cent of local senior managers fully understood the risk of security incidents to their business. Anecdotal evidence from Australian experts suggests that security isn't even part of the overall business planning process for as many as 75 per cent of organisations.

Peter Sandilands, regional director for Australia and New Zealand at Check Point Software Technologies, says there are some obvious issues resellers must first address if they are going to take advantage of the current environment, such as access to skilled staff and their own attitude towards security products.

"Security people are as scarce as hens' teeth and worth a fortune. They need to be multi-skilled; they need to understand IT, operating systems, applications, client/server communications and the business deployment of those things.

"For resellers, the challenge of getting into the marketplace is to approach it sensibly - to not get burnt by trying to do things they don't know anything about.

"Secondly, resellers generally tend to be focused on product sales, but security is by and large a services sell. I can sell someone a firewall but I'm not going to make much money out of it even if it's a high dollar value item. So what I really have to do is help the customer build their security profile, deploy the solution for them, and then hopefully convince them to allow me to maintain it in an ongoing fashion.

"Unlike servers and network structures, you don't just sell it and walk away. I could sell someone a structured cabling system and know I wouldn't have to talk to them for another five years, whereas if I sell them a security system I might need to speak to them again next month to check its configuration, or to allow for new applications that have just been rolled out, or to add some patches for the latest vulnera-bility," says Sandilands.

Industry experts agree that channel staff will not only have to keep up with all the current security issues, they will have to be able to convince company executives - rather than just a company's IT technicians - that not only is security an executive matter, senior management can be held legally responsible for it.

Kim Duffy, managing director of ISS Australasia, says there are four key security issues that resellers need to be aware of:7 Demands for multi-layered security strategies to combat the rapidly expanding spectrum of threats.

7 New privacy laws.7 Market demands for a single protection solution.7 Security reassurances sought from business partners.

"The number and complexity of threats will continue to increase, and until companies adopt a multi-layered security approach that encompasses the network, server and desktop layers, they will remain vulnerable, Duffy says.

Like Sandilands, Duffy stresses that security is an executive decision. "Until now, it has been quietly accepted that vulnerability was the price companies paid for online business. Not any more. From now on, company executives will not only be gambling their company's security system, rather than onto the operators of that system."

Internet technology services company eGlobal provides security services to a wide range of businesses. According to business development manager Fred Del-Tahche, being able to track internal threats is as important as keeping intruders out.

"There is a lesson to be learnt from September 11. The terrorists used American planes with American fuel to fly into American buildings while [America's guns] were pointing outwards.

"You can compare that to an organisation that says it has a really strong, safe firewall that is configured to the maximum to stop anybody getting in. But what about the people inside who are cracking the administrator's password, or the disgruntled employee who can cause damage?"

Del-Tahche says the channel has to help companies put security policies in place. Rather than just selling them a firewall, for example, resellers could provide companies with software to track what people were doing within an organisation.

"You don't stop them from doing things, because once you stop people you restrict their freedom in their job. You just track them and use software that can detect things that are irregular or a bit random and report them."

He says user authentication is vital. "You can put a really nice security system in place but if all you need is a username and password to get in, it's not good enough. It can be breached in 30 seconds."

Del-Tahche says there is good money to be made in security. Like Sandilands, he says if security is looked on as a service rather than just a product, the income will be ongoing.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments