The eSentinel: Security in 2001--Back to the Future

Services, not technology, will help the security industry surpass enterprise expectations in the coming year.

Grasping all dimensions of cyber-security in 2000 has been a challenge. Enterprise security in the new millennium just isn't what it used to be. In the good ol days--a couple of years ago--firewalls were for servers, and the Internet was for desktops and laptops, not mobile telephones or PDAs. E-mail brought documents from business partners, not Love Letter A from your worst nightmare.

With new security perspectives and protection imperatives, 2001 won't be just another year in paradise. Purgatory will prevail and will likely continue throughout the coming year. Here's why:

  • Security hasn't reached industry status yet. There's plenty of software, some hardware, a few services, and some integrated features in Internet-related security products. Currently, this Internet security field is a frontier with cyber-wagons being pulled together for quick passage to the promised land of revenue and profitability. Few rules exist and little standardization has surfaced. Every organization is isolated, and like any sod-busting adventure, many who begin the journey will succumb to the wiles of security hostiles out there.

  • Federal and state legislation will continue to lag behind technology and technique. Legislatures have been attempting to address cyber-crime and cyber-rights, without much success but with much trepidation.

  • The debate over who's in charge, industry or government? will continue. Many Internet-related security issues will rage unabated. Online privacy, now one of the foremost issues on national agendas, is just one of many points of contention. Among the others are: appropriateness of civil vs. criminal action for computer crime, geographic vs. electronic jurisdictional boundaries, private loss vs. public disclosure, and law enforcement intrusion vs. business confidentiality. While there's talk of working together for the common good, industry alliances continue struggling internally to find secure standards for technology and business behaviors that work for all.

  • Little consistency in education, training, experience, or certification currently exists for specialists in the security field. E-security professionals are in very high demand and in short supply. On the other hand, so few are trained and experienced that a wide range of backgrounds are represented in those currently filling security positions.

  • The majority of corporations are in denial regarding cyber-crime threats and vulnerabilities. Since the focus of news is shifting from hackers to those hacked, and business losses are gaining substance, breach denial is quickly transforming into recognition in the form of substantial security budgets.

  • Digital domains are rapidly evolving, requiring law enforcement, business, and consumers to constantly rethink where the boundaries for protection exist. Business Web sites, networks, telecommunications, and servers were the targets in the early stages of the hacker-craze; now, Internet appliances, family Web sites, home networks, mobile telephones, PDAs, Internet calling, and messaging are among hacker objectives.

    Trends For 2001

    Superb technology is a necessary, but insufficient condition for success in today's security market throughout 2001. Several other security vendor factors, including business model, marketing acumen, and client relationship management, must work together in the coming year to generate excellent, effective, and reliable protection.

    The following trends will influence the security market in 2001:

    1. Continued vacillation will occur regarding where security protection fits into operating system, application, Internet, and telecommunication infrastructures. That is, should enterprise security functionality be modular, integrated within products, or administrated as a service. Companies have been unable to answer this question because cyber-security product development decisions, like most in the high-tech markets, are not based on logical and integrative design, but instead on competitive advantage and company strengths.

    2. The managed security services (MSS) market will expand rapidly on both vendor and client sides. Large, pedigreed corporations with track records related to cyber-security (consumer, business, or consulting related) will develop or roll out new MSS offerings. Many smaller security start-ups will emerge supplying unique protection offerings. This market will continue to grow rapidly.

    3. Security services will be expanded to include breach forensics, investigative services, and litigation coordination. These tail end services deal with evidence preservation, breach loss identification and analysis, and civil litigation to obtain actual and punitive damages.

    4. Large to enterprise-level firms will progressively establish chief security officer executive offices as hubs to integrate all security services.

    5. Corporate security investment confusion will continue due to best-of-breed, point solution vendors competing against integrated, proprietary solution providers. The question for corporate security decision makers remains: Which solution will be more productive and cost effective, separate products for different security applications (i.e., firewall, e-mail, encryption) or integrated proprietary solutions?

    6. Security specialists will become more recognized as professionals, bringing with them unique training, certification credentials, and background requirements (i.e., college degree, background check, financial security). The current shortage of well-trained and experienced cyber-security professionals will intensify, leading to even higher salary levels.

    7. Program code development will explicitly integrate security design and testing procedures.

    8. Security in this developing market will include both technical (e.g., VPN, firewall) and physical (e.g., facility protection, area access control) security skills. Technical and physical security considerations are increasingly interrelated, and must be managed from a holistic perspective.

    9. Universities and colleges will offer new graduate programs in cyber-security, either through computer science departments, business schools (computer information systems), or specialized computer engineering programs.

    10. Cyber-security insurance will become a standard protection component in large and enterprise-level corporations. While insurance standards remain to be developed for e-business, this market will be so lucrative that insurance firms will develop unique metrics to insure the most prominent companies.

    It's Not Just Cyber-Security Anymore

    The above trends foreshadow a daunting new year for enterprise security. We live in interesting times--dangerous and exciting. New disciplines are needed for effective methodologies, and innovative legions of security professionals are essential to bring this field together.

    While the Certified Information Systems Security Professionals (CISSP) security certification seems to be gathering respect and support from business and government communities, little beyond product certifications takes into account the tools and skills needed for cyber-protection in the new millennium. Interestingly, the e-security model is changing to encompass more of the real world.

    Online and related offline (e.g., portable computer theft) attacks will continue to grow, creating a need to maintain safe work locations both onsite and offsite for employees and customers alike. Physical security skills, such as facility planning and equipment theft prevention, will also be required to integrate cyber with physical protection. Chief security officers' responsibilities will entail computer and telecommunication systems, access control, logon authentication, asset protection, employee background checks, and user security training.

    Good news and bad news for 2001 differs by sector. Organizations searching for reliable and cost-effective protection can take heart that new MSS providers will be offering a variety of packages. The bad news is those providers will often be unstable, still developing internally, and suffering from the same lack of experienced professionals that their clients face.

    All in all, 2001 is shaping up to offer something for everyone, but total satisfaction for few. //

    Dr. Goslar is principal security analyst for E-PHD LLC, a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.

  • 0 Comments (click to add your comment)
    Comment and Contribute


    (Maximum characters: 1200). You have characters left.