"More bittersweet than they hoped for, IT security staff have achieved the recognition they desired," says Steve Hunt, an analyst with Giga Information Group, Inc. "For years, security managers have complained privately that their company's senior managers don't appreciate security not give it the attention or financial support it deserves. In 2002, the light was definitely shining on the IT security department, however, it was more of an interrogator's lamp than a limelight."
That means that while security and IT managers used to be largely left alone to deal with threats of Internet hacks, port scans and internal sabotage, they now have some company -- business executives. Today, with so much post-Sept. 11 focus on security, everyone from the CFO to the CEO to the board of directors wants in on the company's security policies and technology decisions.
Technology will no longer be purchased for good technology's sake. Now, IT administrators need to sit down with business executives and stretch their thin budgets to cover new technologies with true business value. Increasingly, the value customers receive will come from IT. And IT purchases will be focused on that one thought.
"Metrics used to measure the value of a business initiative -- such as cost effectiveness, measures of efficiency, coherent planning and reasonable funding commensurate with benefits -- are missing from nearly all internal security programs in the United States," says Hunt, who recently published IT Trends 2003: Security Budgets and Spending. "Most IT security departments had no idea exactly what the business units needed or why."
That's changing -- fast.
Hunt contends that IT security budgets for next year will remain flat compared to 2002 budgets. And the money that is spent will focus on solving problems related to security operations, user administration and device management.
Michael Rasmussen, another analyst at Giga with his own IT Trends 2003 study focusing on security issues, adds that administrators are finally clear on the idea that firewalls arent enough. And their 2003 purchases will reflect that.
"As attacks increasingly penetrate through firewalls, the world is realizing that firewalls are only a part of the solution, and not the solution itself," says Rasmussen. "Security is not just for the perimeter anymore. Organizations are looking beyond pure network security controls such as firewalls and evaluating technologies and approaches to securing internal systems and applications."
As for firewall technology itself, Rasmussen says it will be moving away from server-based systems to become an "integrated and embedded part of the network infrastructure fabric itself."
As for the future of the IT staff, there will be plenty of patches and updates to keep them busy, especially since staffs largely have been hit hard by corporate layoffs. In 2003, Hunt predicts that IT staff will focus on updating systems with patches, cleaning up perimeter defenses.
And when a system is attacked, according to Hunt, administrators will be more likely to keep it offline longer while they follow the attack trail and patch the root of the problem at the operating system level.