The IT industry is selling users short. When it comes to meeting promises to add more processing cycles to CPUs or increase the areal density of hard discs, no barrier is too high but, as for guaranteeing enterprise security, the industry runs for cover, leaving customers to sort through a mire of claims, counter-claims and statistics.
Soon, however, the truth will out. Legislative and litigious pressures are forcing companies to ask harsher questions of their security suppliers, who will have to start delivering tangible, secure solutions.
Companies have never liked paying for insurance, and they never will - most opt for the least they can get away with at the lowest possible price. That is how it has always been, and that is how it is likely to remain.
Unless, that is, companies wake up to the fact that one type of insurance - security - really does relate to old-fashioned notions of value for money, and that with this type at least you get what you pay for. IT's rampant pursuit of sales creates the impression that security is a relative issue, suggesting that it is acceptable to scale from basic password protection at the low end to constantly monitored and encrypted networks and systems at the high end.
The net result is that where once there existed effective and imaginative means of securing corporate data, systems and networks, there is now a collection of disjointed technologies and capabilities cobbled together without any particular strategy: firewalls, tokens, PKI, cryptography, intrusion detection, virus scanning and biometric scanning.
Depending on which security expert you talk to, firewalls are either mandatory or completely redundant, while 128-bit encryption is either the strongest commercially available communications technology or a red herring deflecting attention from the real security issues facing companies, which are:
- Has a framework been set up?
- Are all staff fully vetted?
- What guarantees are given by service providers?
- How trusted are the systems of trading partners?
- What mechanisms are in place to ensure that breaches of security are detected?
All the inward-facing questions presuppose a capability to act on any shortcomings thrown up by the answers, but the evidence points to skills shortages, static investment levels, low technology and service-awareness levels, an inability to comprehensively measure risk and exposure, and a knowledge vacuum at board level, where there is little differentiation between real security issues and the smoke and mirrors put out by much of the IT industry.
Awareness levels will rise on the back of publicly contested litigation against those who have been attacked and have been seen to be negligent. Cases like those being settled out of court today will find their way into the judicial system. Then companies will have to prove that adequate protection existed, not only in their own systems but against possible breaches via trading partners' or even customers' systems.
In the meantime, despite skills limitations, companies are being exhorted to protect their systems by housing them in purpose-built secure datacentres as part of co-location and managed hosting services. But there really is no guarantee of complete protection. How can there be when so many of these facilities were built quickly when it was thought that demand for their services would rise indefinitely?
Warehouses, factories and other large spaces were sold to hosting companies almost as fast as redundant high-street bank branches were sold to pub chains. But these premises were never intended to act as secure accommodation for computer systems. They may boast anti-intrusion gadgets, redundant systems and power supply options, but one catastrophic event could still cripple the site.
September's terrorist attacks in the US show that things happen which all the planning in the world cannot prevent. The fact that the Pentagon escaped relatively intact was precisely because it was built from the outset as a secure establishment.
Asking the "what if?" question of many datacentre operations would reveal a somewhat less thorough approach. Does the warehouse next door have access to the roof? Is it possible for an employee's finger to be chopped off and used to gain entry via the fingerprint recognition system? Is the facility protected against electronic eavesdropping?
Too many customers are being sold short because they do not understand all the ramifications, and because the sales pitch is geared to convince an audience wanting to hear a knowledgeable voice. This anxiety is being tapped into at a collective level, spurred on by an industry keen to see uncertainty and doubt grip the IT-buying public.
History is littered with examples of what happens when purchases are made for the wrong reasons, but most do not have the potential negative impact of a botched security choice. Government computer projects come, go or simply collapse, but you can bet a great deal more emphasis on success is levied on security in central government operations. In the great scheme of things, a faulty passport processing system is merely an inconvenience, but an MI5 database made visible to the outside world has wider ramifications.
Dominic Hawken is director at secure hosting firm The Bunker