Hacker market pushes security mainstream
When a computer scientist gets an MBA, and then becomes almost infatuated with economics, the result can be a unique, market-based analysis of IT security.
From MBA security specialist Ionut Ionescu’s perspective, IT security has become a mainstream professional marketplace, with specializations like forensics or incident management. But hacking has become commercial as well, he says.
Ionescu, Nortel’s director of security services for Europe, Middle East and Asia, sees the hacker market maturing. That means there is an increasing sophistication in the tools themselves, in the research and development behind them, the distribution channels and the organizations that support them.
It also means there are more players in the market, so the quest for customers and profits will create better products at lower prices for an increasing number of market niches, says Ionescu.
Does government see the IT security market differently from their private sector colleagues? “They probably do because public sector managers would see security more from the point of view, I would say, of policies, procedures and regulations. Whereas in most cases, unless you’re in a regulated industry like banking or utilities, a private sector security manager sees it as very much more goal-orientated.”
Governments tend to have a lot of requirements, he says. “The bids are big, the documentation is big and you have to tick all the boxes. And sometimes not the best [products] get chosen, but they’re the [products] that satisfy all the ticks.”
Unless security is mandated in the same way as car insurance, it’s usually difficult to convince people to spend significant amounts of money unless they see a smoking gun, says Ionescu. “This is where we security professionals come into play.
“We should be doing more to educate managers and we should be educating users more. Otherwise people say, ‘Oh, we have anti-virus and somebody maintains it,’ but they are oblivious to the fact that they’re bringing in a USB stick or their wireless network is not secured at home and they have cross-pollination of data between their home Internet link and their office.”
Before joining Nortel, Ionescu helped insurance companies explore the uncharted territory of risk in IT operations. In the early days of information technology, insurance companies would write policies on the physical assets associated with computing.
Insuring computers and servers was a lot like insuring automobiles or aircraft. At that point, they weren’t thinking about data loss. As Ionesco puts it, “If the computer wasn’t on fire, there simply wasn’t a claim.”
Then, as the economics shifted and the information on the computers became more important, insurance companies began writing policies that reflected the hours of work necessary to re-input the data. That was standard operating procedure until about 2000, he says. “Then people saw that the loss went well beyond the hours needed to rebuild data from paper and went on to things like loss of business.”
Insurance companies live or die by their ability to assess risk. When it became clear there was a market opportunity in quantifying the intangible of data loss, it also became clear that most hackers were not rocket scientists, Ionescu says. Much of the IT security challenge could be met by good system and network administration.
“After that, the minimum protection you need is up-to-date anti-virus, a strong regime for password changes, and effective backup.” Over about a year-and-a-half, insurance companies began to write policies on data based on those principles.
“Before, their knee-jerk reaction was to withdraw coverage.” Now, meeting those three steps qualifies policy holders for a certain level of protection. Agreeing to an insurance company audit increases the coverage.
Employees are constantly making economic decisions about IT security, Ionescu says, as they choose to follow or flout the rules. He believes organizations should not only persuade people that compliance is the correct decision, but also that procedures should be made simple and easy to follow.
At the organizational level, reporting is still a challenge. Economic incentives for a department or a corporation to go public with an incident often don’t exist. The potential loss of time and the risk of public exposure far outweigh the perceived benefits of “helping the community.”
“People unconsciously do this kind of cost-benefit analysis all the time,” Ionesco says. “Again, that comes back to a culture change. People don’t mature as quickly as technology.”
Richard Bray is an Ottawa-based freelance journalist specializing in high technology and security. Contact him at [email protected]