Managers responsible for network security are being hampered by too many products and too many services, writes Andrew Kellett
IT security suppliers as a whole talk far too glibly about how their security products have the ability to secure and protect corporate systems and networks. It is as though the network itself was something to which you could apply a padlock, and all the world's problems would go away.
The reality of course is immeasurably more difficult to predict, even assuming that the end-user organisations that own the networks and associated business systems know what needs to be protected: an assumption that, in my experience, it would be very unwise to take at face value.
From the end-user perspective there are two problems with all the technology that is gathered under the IT security umbrella. Firstly and fundamentally, there is far too much of it, and secondly, because of the range of products and their complexities, hardly anyone can prove how well each piece of the security jigsaw is working.
All of which needs to change. There are far too many deployed security products that do not fit the ongoing needs of the networks and systems that they were put in place to protect. They do not have the flexibility to cover the changes required to support new developments, react in real-time to new market vulnerabilities, or provide the correct levels of reporting that are required to prove that organisations are properly protected.
Although many enterprise-level network protection systems come with an extensive range of reporting facilities, such as item-level audit trail capabilities, the one thing that most have in common is an inherent ability to provide a level of detail that only serves to hide the real security issues.
Let me pose a few serious questions to chief information and chief security officers. In simple percentage terms, how secure are all the elements of your systems and networks? How does that compare to the position last week, last month and last year? Is the security of your networks and systems and the corporate information they hold getting better or worse? These are simple questions, and if the situation is not getting better or the answers are not clear, what are you doing about it?
Compliance/governance regulations that are already seriously affecting elsewhere across the business and IT are not going miss out the IT security sector. Like other areas of business activity where new corporate rules are in place - Sarbanes-Oxley, HIPPA et al - the effects will be felt at corporate executive level, and the people that will be held responsible when security breaches occur will ultimately be at the CIO and CSO level.
The reasons are simple. If you are being paid to head up all areas associated with information and systems, you should know how well all your systems and security work in terms of the protection delivered and the information provided.
For systems administrators and staff who work with security systems on a day-to-day basis there is a need for report information at a detailed level. For the CIO, CSO and staff with similar executive responsibilities, there is an urgent need for security dashboards or similar high-level reporting facilities that keep them in touch with the big picture.
It is information compliance concerns that will ultimately change the way that network and systems security services are delivered. Cisco Systems and Microsoft have announced that they will be collaborating to make their emerging network security products compatible.
This is not an exercise that is being undertaken lightly. My impression is that the initiative is being driven, in part at least, by the business decision makers from Cisco and Microsoft's largest customers - business people that have already recognised that a fragmented product level approach to network security will never work for them.
These are the same executives that could be held responsible if network and information protection services go wrong. As a result, they are the people who are starting to demand that security services must improve; fully take into account detection, response, and reporting issues at all levels and, most importantly, integrate network and systems security with the requirements of the business.
Andrew Kellett is a senior research analyst at Butler Group
This article is part of Computer Weekly's Special Report on network security produced in association with Microsoft