The biggest effect a struggling economy should have on IT shops is inspiration to get more creative with their security spending. And by creative, we really mean more effective.
According to a growing number of security analysts, enterprise IT is spending too much on software and services that don’t make them more secure.
“Managers and directors are throwing boxes and dollars at problems: sometimes in hopes of meeting a check-box requirement for a mandated control, and other times out of sheer desperation to address a real problem,” said Jennifer Jabbusch, network security engineer at Siler City, N.C.-based Carolina Advanced Digital Inc.
Instead of taking full advantage of the security tools they already have, or simply getting rid of the security measures they don’t need, many IT managers seem to shell out forkloads of dough to vendors — almost out of habit.
“It’s almost like a superstition for some enterprises,” said John Pescatore, vice-president and security analyst at Gartner Inc. “Companies think that if they don’t buy more security, something bad will eventually happen.”
For Jabbusch, another reason could be an expectation from board-level management that more security dollars equals more overall security. “Some executive could have played golf with some vendor, and, as a result, decided it was time to buy some more widgets,” she said.
Either way, the general thinking amongst enterprises is to throw more money at security. And that might be why some financial analysts have said that, even though we are in the midst of an economic recession, IT security dollars will remain largely unaffected in the near future.
According to a global survey of more than 7,000 IT security professionals released last month by Pricewaterhouse Coopers LLP, roughly 44 per cent of respondents said they would increase their spending on security, while another 31 per cent said spending would remain the same.
But while IT security spending appears to be spared for now, that may not be the case if the economy continues to worsen further down the road. And that could lead to serious headaches for security over spenders.
Here’s what you can do:
I love it when a plan comes together
One of the fundamental components of any good security infrastructure is to have a solid set of security policies. According to James Quin, senior research analyst at Info-Tech Research Group, spending without a strategy is the most troubling trend he’s seen among today’s IT organizations.
“They don’t have a formal plan, so they don’t really understand their security goals,” he said. “They’re just buying tools with no real sense of purpose.”
In a recent Info-Tech survey of about 175 Canadian organizations, about half of all respondents said they had no teams or individuals dedicated solely to IT security within the organization.
“If there’s no-one tasked with security as their primary responsibility, then there’s nobody in the organization really paying attention to the trends in the marketplace, and understanding the nature of the threats they could face,” Quin said.
This significantly increases the likelihood, he added, that IT shops trust their vendors, rather than figuring out the security requirements that could actually fit their business needs.
For Jabbusch, bringing together your entire IT team to focus on security is the only way to figure out what technologies you have and where you want to go with your future technology implementations. That means collaborating with the server people, the switch people, and everybody in between.
“We have some customers that have a whole team of engineers for firewalls,” she said. “One of them handles the routing and policies, and another one handles a different area. They are very segmented. So, it really takes a lot of people to get together with management and figure out what you have in place.”
Making the most of what you have
Only after figuring out what you have, can you even begin to take full advantage of those tools.
In terms of desktop security, Quin said, one of the most overlooked features for small to mid-range companies is Microsoft Corp.’s Encrypting File System (EFS) in Windows Vista and Server 2008.
“The EFS capability is certainly enough to rival the proprietary products in most circumstances,” Quin said. “That’s not to say it’s as feature-filled as something from PGP or Pointsec, but, in most cases, it’s going to be good enough for a company.”
For an interesting freeware security tool, Quin advised NetWrix Corp.’s USB Blocker, which will restrict and regulate what USB devices can be attached to your computers. It can also regulate what kind of information is allowed to be transferred onto USB devices. Knowing what you have, according to Pescatore, also means knowing what your security systems are doing. In some organizations, he said, significant dollars are wasted on security tools that never actually encounter security threats.
“We find a lot of people put antiviral software on servers where it just doesn’t do anything,” Pescatore said. “For example, it might be on a UNIX server where virus attacks are very minimal. Companies need to look at their server-side antiviral software and ask themselves, ‘Has this thing ever blocked a virus?’”
He added that useless anti-virus software can also be found on Windows machines — especially if the machines are “not handling files anymore and just doing Web stuff.” The same inefficiencies can be found at the networking level.
According to Quin, organizations might be using a gateway anti-malware appliance, instead of taking advantage of the anti-malware capabilities included in their unified threat management (UTM) devices.
“In a lot of cases, companies could certainly streamline their costs by looking at those function overlaps and picking one solution to provide that functionality and capability,” he said.
Because of some really radical changes in the security market over the last few years, many of the tools that IT managers are now purchasing offer more breadth of capability than ever before.
“If you’re purchasing a good UTM device, it’s going to provide firewalling capabilities, VPN capabilities, gateway and anti-virus capabilities, content filtering and some form of intrusion protection,” Quin said. “Organizations are upgrading to these tools and basically ending up with a lot of repetitive functionality.”
Typically, larger companies will have corporate laptops and desktops equipped with antiviral software, a personal firewall device, anti-spyware tools, and encryption software. “In a lot of companies, you see all of these services coming from four different vendors,” Pescatore said.
He advised companies to consider an end-point protection platform, a desktop protection engine that blocks viruses and spywares, acts as a personal firewall and works in laptop encryption. While solid solutions are offered by vendors like Trend Micro Inc., Symantec Corp. or McAfee Inc., Pescatore added that companies could also turn to smaller vendors like Sophos Plc. for viable end-point protection capabilities.
In the world of server virtualization, Pescatore said, data centres with lots of firewalls can buy one firewall chassis from Juniper Networks Inc. or Check Point Software Technologies Ltd. and break it up into multiple virtual firewalls. This will help reduce the costs for companies buying extra licences for their failover and backup firewalls.
“I don’t need 10 failover licences anymo