The shift away from security products to services at Infosecurity Europe in London shows that the industry is maturing,...
says Bruce Schneier, chief security technology officer at BT.
Clients care less about the details than about the end result, he told Computer Weekly. Business is also becoming more confident about outsourcing security-related functions.
Schneier predicts that this maturity of both business and service providers will continue to grow so that within three years much of IT security will be outsourced.
The trend, he said, will be to retain only a small group of people inside organisations to direct the security strategy who will call in outsourcers when they need to.
Organisations will outsource IT security in the same way that they outsource security guards and alarms systems and most other kinds of infrastructure today.
"Outsourcing is really what cloud computing is about, but service providers need to be transparent enough to enable businesses to make good outsourcing decisions," said Schneier.
The transition to cloud-based IT security services should be fairly advanced within the next five to ten years as service providers put all the necessary liability structures in place.
Guy Bunker, chief architect in the data management group at Symantec, says the move to cloud-based IT security and other services is inevitable because of increasing complexity and lower cost.
However, he believes it will take a lot longer for than a decade for the emerging cloud-based services industry to adopt low-risk standards.
Secure cloud-based services depend on industry-wide adoption of standards around user authentication and data exchange, storage, encryption and disposal, but this will take time, he said.
Considering that after 10 years there are still no industry standards around data archiving, Bunker is not optimistic that standards for cloud-based services will happen very soon.
Progress towards industry-wide agreements on IT standards typically happens with the "speed of a striking slug", he said.
In the meantime, Bunker predicts most businesses will adopt cloud-based services "only where it makes sense." The decision should be based on a careful analysis of risk and benefit.
The danger lies in the fact that many organisations are unlikely to be aware of the potential risks involved because they do not know the right questions to ask service providers, he said.
"In an economic downturn the temptation will be to go for cheap services without proper consideration of the security risks," he said.
A lack of standards creates the potential for problems with data availability and security that businesses need to understand before they can make informed decisions, said Bunker.
Without them it will be difficult to formulate meaningful service level agreements so organisations need to find out exactly how service providers will handle data.
Businesses will be able to assess the true risks, said Bunker, only once they know where data will be stored, how it will be secured, and how security processes will be reported on and audited.
"Cloud-based services can be secure, but only if business truly understands the risk," he said.