March, 2009

CISOs seek frugal ways to secure systems

It is budget cutting time. Companies in all industries are looking for ways to save money in a down economy. Security analysts say companies are slowing ongoing projects and delaying others signaling the acceptance of more risk.

Security pros that attended the two day SecureWorld Expo on March 25-26 in Boston learned about a number of ways to keep sensitive systems locked down while trimming their already tightening budgets.

Candy Alexander, CISO at Long Term Care Partners LLC, urged attendees of her session, “Security compliance program on a shoe string budget,” to develop a framework by using guidelines outlined by NIST. Alexander said NIST would be a cheaper source over the ISO standard. Although the benefits of ISO over NIST or vise versa is debatable, ISO is also not a widely adopted standard in the U.S., she said.

While much of the information doled out during the 45 minute presentation was basic, it certainly could serve as a starting point for some security pros looking for ways to keep systems secure despite a tightening budget. The most important piece of the talk: Know your data. Know where it is. Know how it flows through your systems. It’s so simple, yet time after time I hear that many data breaches happen because an attacker found a hole in a database that IT didn’t even know existed.

A friend who works for a major university in Massachusetts told me that in the first few weeks on the job he followed the basic steps of identifying the most sensitive information, where it was and how well it was protected. During the process he found a database containing thousands of credit card transactions in a small office off one of the university’s dining facilities. It had been there for years. Few knew it was there and those that did — dining facility staff with little technical expertise — didn’t realize the data residing on it was so sensitive.

Having a sound security policy and enforcing that policy was also one of the takeaways from the expo. Although it’s another fundamental part of being a security professional, we’ve heard countless times that some organizations have policies that they downloaded off of a website and rarely refer to them or educate end users about them. Charles Cresson Wood, a consultant at InfoSecurity Infrastructure Inc., a Mendocino, Calif-based consultancy, gave the SecureWorld keynote, urging those listening to rethink their security policies. If an organization doesn’t have policies that align with business objectives then they should be written with that in mind, Wood said.

Wood advised attendees to conduct an annual risk assessment tying it into the company security policies. He said some of the best security programs also create an environment that fosters higher security standards among employees. Management plays a big role, he said.

Finally, an information security officer tag team of Leilani Lauger of Loyola University and Morey Straus of NHHEAF Network Organizations tackled ways CISOs can do their job frugally. Straus said CISOs can consider managed security services and should also take a look at the company’s existing contracts with third-party vendors. Some of them may be able to be renegotiated at a cost savings, he said. Straus said CISOs can also help foster the culture of valuing information security by acting “less as a cop and more like a guide.” Lauger said security pros should also design training programs that are interesting and replace outdated posters and material with fresh content on a regular basis. Send out security messages in multiple forms, not just weekly email messages or security posters, she said.

Cisco’s email services — They hadda’ do it

I’ll throw in my nickel’s worth (two cents just isn’t worth anything) on Cisco’s announcement that its IronPort email security — long available in a series of top-shelf appliances — would be offered as a managed service.

This was a necessary, even defensive move for Cisco, when you look at it from a market perspective. Email security as a service, which has been very popular among SMBs, is getting more traction among enterprises as they look at which tasks they can offload comfortably without violating or changing security policy.

So the hybrid approach may be particularly appealing to enterprises. It’s one of three along with a hosted model in which the appliance is managed in a Cisco data center and a managed service in which Cisco manages boxes on the customer’s premises. The hybrid approach takes the chore of managing incoming filtering off the enterprise’s shoulders, while allowing the customer to keep control over their outbound data for DLP and encryption. It’s relinquishing that outbound piece that often makes enterprise security managers’ blood run cold.

SaaS, on the other hand, does more than take up the administrative chores as well as the care and feeding of more boxes on your network. The pay-as-you-go lets you treat email security as an expense. Laid off 1,000 people? Ratchet down. Good times coming? Ratchet back up. Consider whether your email security vendor can offer that kind of flexibility or comparable value if you are looking to move to some services model.

Cisco isn’t offering any new security capabilities, but to my way of thinking, if I were a vendor (thanks, but no, I prefer poverty) I’d want to tell my customers they can get the same level of security whether they buy appliances or contract for services — and IronPort appliances are considered first-rate.

So, Cisco had to start offering their email security as a service. Symantec acquired a full-blown leading SaaS vendor in MessageLabs, in addition to its own appliance and software options. Symantec already offers a stronger DLP combo than Cisco, through its acquisition of Vontu, but IronPort offers more formidable Web security.

McAfee, another big security competitor, applied some considerable pressure when they bought rival Secure Computing, which in turn, got into the email security business by acquiring CipherTrust. They also offered a hosted service option and a mix and match of hybrid combinations (the major appliance vendors also offer virtual appliances, which Symantec says may already account for as much as 20% of its appliance business).

Proofpoint, one of the increasingly rare major independent pure-play email security vendors, offers both appliances and hosted services.

This is getting down to the nitty-gritty. The email security market is pretty well consolidated, both on products and service-based options. SaaS vendors like Google and Symantec’s MessageLabs are gobbling up SMB contracts. At the high and mid-high ends of the market, in particular, competitors are going to have to offer a mix of very robust options at attractive prices.