The economics of e-security

Hacker market pushes security mainstream

When a computer scientist gets an MBA, and then becomes almost infatuated with economics, the result can be a unique, market-based analysis of IT security.

From MBA security specialist Ionut Ionescu’s perspective, IT security has become a mainstream professional marketplace, with specializations like forensics or incident management. But hacking has become commercial as well, he says.

Ionescu, Nortel’s director of security services for Europe, Middle East and Asia, sees the hacker market maturing. That means there is an increasing sophistication in the tools themselves, in the research and development behind them, the distribution channels and the organizations that support them.

It also means there are more players in the market, so the quest for customers and profits will create better products at lower prices for an increasing number of market niches, says Ionescu.

Does government see the IT security market differently from their private sector colleagues? “They probably do because public sector managers would see security more from the point of view, I would say, of policies, procedures and regulations. Whereas in most cases, unless you’re in a regulated industry like banking or utilities, a private sector security manager sees it as very much more goal-orientated.”

Governments tend to have a lot of requirements, he says. “The bids are big, the documentation is big and you have to tick all the boxes. And sometimes not the best [products] get chosen, but they’re the [products] that satisfy all the ticks.”

Unless security is mandated in the same way as car insurance, it’s usually difficult to convince people to spend significant amounts of money unless they see a smoking gun, says Ionescu. “This is where we security professionals come into play.

“We should be doing more to educate managers and we should be educating users more. Otherwise people say, ‘Oh, we have anti-virus and somebody maintains it,’ but they are oblivious to the fact that they’re bringing in a USB stick or their wireless network is not secured at home and they have cross-pollination of data between their home Internet link and their office.”

Before joining Nortel, Ionescu helped insurance companies explore the uncharted territory of risk in IT operations. In the early days of information technology, insurance companies would write policies on the physical assets associated with computing.

Insuring computers and servers was a lot like insuring automobiles or aircraft. At that point, they weren’t thinking about data loss. As Ionesco puts it, “If the computer wasn’t on fire, there simply wasn’t a claim.”

Then, as the economics shifted and the information on the computers became more important, insurance companies began writing policies that reflected the hours of work necessary to re-input the data. That was standard operating procedure until about 2000, he says. “Then people saw that the loss went well beyond the hours needed to rebuild data from paper and went on to things like loss of business.”

Insurance companies live or die by their ability to assess risk. When it became clear there was a market opportunity in quantifying the intangible of data loss, it also became clear that most hackers were not rocket scientists, Ionescu says. Much of the IT security challenge could be met by good system and network administration.

“After that, the minimum protection you need is up-to-date anti-virus, a strong regime for password changes, and effective backup.” Over about a year-and-a-half, insurance companies began to write policies on data based on those principles.

“Before, their knee-jerk reaction was to withdraw coverage.” Now, meeting those three steps qualifies policy holders for a certain level of protection. Agreeing to an insurance company audit increases the coverage.

Employees are constantly making economic decisions about IT security, Ionescu says, as they choose to follow or flout the rules. He believes organizations should not only persuade people that compliance is the correct decision, but also that procedures should be made simple and easy to follow.

At the organizational level, reporting is still a challenge. Economic incentives for a department or a corporation to go public with an incident often don’t exist. The potential loss of time and the risk of public exposure far outweigh the perceived benefits of “helping the community.”

“People unconsciously do this kind of cost-benefit analysis all the time,” Ionesco says. “Again, that comes back to a culture change. People don’t mature as quickly as technology.”

Richard Bray is an Ottawa-based freelance journalist specializing in high technology and security. Contact him at [email protected]

Related content:

Canadian police plan global CyberPol centre

Hactivism attacks could rise, warns security expert

China denies Pentagon cyber-attack

Understanding federated identity

Identity thieves loot government job search site

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now