IT departments should start challenging the high profit margins
of IT security suppliers on commodity products, Gartner said
today.
"Business needs to become more aggressive with suppliers and
demand more for less," Neil MacDonald, a research vice-president at
Gartner, told the opening session of the
Gartner IT Security Summit 2008 taking place in London this
week.
This could be achieved by letting suppliers know that business
can and will switch to competitors if their suppliers are forcing
them to pay more for less effective security technology such as
anti-virus.
To survive an increased number of targeted security threats and
remain able to respond to changes in business needs, companies need
to move on from a siloed approach to one that is more co-ordinated
and interrelated.
The boundaries between organisations is becoming blurred, which
means individual organisations are no longer in control of all the
pieces that make up their day to day business processes.
"Business needs to change its mindset to see security as an
adaptive system aimed at protecting workloads and information not
specific end points," said MacDonald.
The goal should not be "zero risk", but rather "managed risk" in
which the business has a central role to play and takes some of the
responsibility for security away from IT, he said.
This means making a series of strategic changes such as moving
away from point solutions to linked up security systems that can
correlate and share information to enable the best decisions.
MacDonald issued a call to action to the security supplier
industry, which he said was sorely lacking in some areas such as
access control and standards for sharing security information and
policy.
The security industry is holding business back with unconnected
point solutions and obsolete pricing models for commodity products,
said MacDonald.
"Suppliers should instead be focussing on research and
development to support new and emerging security standards for
sharing information," he said.
According to MacDonald, effective security is achieved through
multiple layers of defence that all work together.
Although some suppliers were beginning to do this, there is
still a long way to go before policy can be easily externalised and
applied at point of use.
"Model driven security is what enables the real-time adaptive
security infrastructure business needs," said MacDonald.
"Organisations need to start fighting tomorrow's battles by
outsourcing routine security functions and using converged
technologies that can adapt to new threats," he said.