The need to have effective processes in delivering information security has come under scrutiny this week.
At its annual IT Symposium in
How might this happen? Gartner suggested that when multiple market, technology and organisational forces today are combined, the elements will be in place to deliver improved security efficiency. By 2010, it said, only 10% of new emerging security threats will require a tactical, best-of-breed solution, compared with 80% in 2005.
Consolidation and convergence of security functions onto security platforms will have the greatest effect in reducing costs. But - and here’s the rub - equally important will be improvements in process discipline within the IT organisation, leading to the administration of “mature” threats being handed over from IT security to the operations side of the IT organisation, Gartner said.
Instead, the information security team should be “solely focused” on new emerging threats and technologies, and must “let go” of the more mundane threat protection technologies and focus on what they do best - addressing new threats effectively.
"To get more secure and spend less, enterprises should focus on process, not products," said Neil MacDonald, a Gartner vice-president and analyst. "Businesses should increase the efficiency of the security programme either by reducing the percentage of revenue that goes towards security spending or increasing the amount of protection from established security spending levels, and also increase the effectiveness of the security program, reducing the number of successful incidents or providing security controls that do not interfere with business missions."
Just as business processes are key to the success of the business, defining the security processes is key to securing the business. Four security processes - network access control, intrusion prevention, vulnerability management and ID/access management - and the interfaces between them are the best approach to improving security effectiveness and efficiency, said Gartner. If the rest of the business is moving to a process-focused discipline of measurement and management, it argued, why shouldn't information security as well?
There is something to be said for this focus on process, and, yes, perhaps, security teams should be spending their time focusing on combating new threats. After all, there are plenty of them, and the advent of spyware, the emergence of blended threats, and the involvement of organised crime in the pursuit of money has given IT security a harder edge than the days of happy-slappy hacking.
IT security could perhaps argue that IT development, together with the business, should pay greater attention to the demands of “process”. Too often, “critical” applications – usually for the web - are hurriedly churned out “to meet business needs” with little or no thought of effective security measures being embedded in the process. IT security might be consulted as an afterthought, and usually when it is too late. Instead, at best, it is often bolted on.
One solution trumpeted by analysts is web application firewall technology, but this is not the way forward, according to Compuware solutions manager, Sarah Saltzman. She likens it to applying a sticking plaster to security problems, and insists a cultural change is needed, with developers armed with the tools and skills to develop robust, secure applications.
Fine. If we are going to hold IT security to account on process theory, then polishing the application development process would be a good place to start. A case of “physician, heal thyself?”