IT departments should start challenging the high profit margins of IT security suppliers on commodity products, Gartner said today.
"Business needs to become more aggressive with suppliers and demand more for less," Neil MacDonald, a research vice-president at Gartner, told the opening session of the Gartner IT Security Summit 2008 taking place in London this week.
This could be achieved by letting suppliers know that business can and will switch to competitors if their suppliers are forcing them to pay more for less effective security technology such as anti-virus.
To survive an increased number of targeted security threats and remain able to respond to changes in business needs, companies need to move on from a siloed approach to one that is more co-ordinated and interrelated.
The boundaries between organisations is becoming blurred, which means individual organisations are no longer in control of all the pieces that make up their day to day business processes.
"Business needs to change its mindset to see security as an adaptive system aimed at protecting workloads and information not specific end points," said MacDonald.
The goal should not be "zero risk", but rather "managed risk" in which the business has a central role to play and takes some of the responsibility for security away from IT, he said.
This means making a series of strategic changes such as moving away from point solutions to linked up security systems that can correlate and share information to enable the best decisions.
MacDonald issued a call to action to the security supplier industry, which he said was sorely lacking in some areas such as access control and standards for sharing security information and policy.
The security industry is holding business back with unconnected point solutions and obsolete pricing models for commodity products, said MacDonald.
"Suppliers should instead be focussing on research and development to support new and emerging security standards for sharing information," he said.
According to MacDonald, effective security is achieved through multiple layers of defence that all work together.
Although some suppliers were beginning to do this, there is still a long way to go before policy can be easily externalised and applied at point of use.
"Model driven security is what enables the real-time adaptive security infrastructure business needs," said MacDonald.
"Organisations need to start fighting tomorrow's battles by outsourcing routine security functions and using converged technologies that can adapt to new threats," he said.