Debunking Information Security Myths
Analysts warn organizations not to buy into scuttlebutt.
Viruses, worms, hackers, spam, disgruntled employees, flawed software, terrorists—cyberspace is rife with danger, but defending information has some pitfalls of its own. Information security specialists are the front-line warriors in this battlespace, and they may be making important decisions about which weapons to use based on misconceptions often promulgated by security product vendors. Industry experts have taken a closer look at some commonly held information assurance beliefs and claim that many are little more than myths.
After speaking with dozens of information security users and vendors, analysts at Gartner Incorporated, San José, California, have taken on the challenge of debunking some of these myths. In an effort to help organizations enhance their security strategies and better manage their information technology budgets, Victor Wheatman, managing vice president, security, Gartner, has identified six notions that appear to be more flights of fancy than fact.
The first myth that many organizations fall for is that spending more money on information security products will improve security. This is the definition of security in depth, Wheatman says, but it is a no-win proposition. In fact, companies should be spending less in this area in the future, he contends.
By 2006, information security spending will drop from an average of 6 percent to 9 percent of information technology budgets to an average of 4 percent to 5 percent, according to Gartner research. Two factors will contribute to this reduction. First, company board members and government budgets will require information security managers to cut costs. Second, consolidation of the capabilities of information security products as well as improvements to current offerings will mean that a single solution will replace three or four products used today, Wheatman predicts.
The way information security is managed also will contribute to this decrease in spending. Systems administrators will be able to manage activity consistently within a network, so they will understand what is going on within the overall enterprise, Wheatman explains. As a result, they will not need to address security on individual platforms but instead will be able to evaluate the entire system. “They’re not doing that today. They are trying to do it, but security reports are 300 pages long when company leaders just want pie charts,” he states.
Another commonly held belief is that security is a journey, not a destination. “If you don’t know where you’re going, you’re not going to get there,” Wheatman notes. Organizations must have security plans to be able to assess whether their systems are more secure today than they were a year ago, he asserts.
Planning helps organizations not only to know where they are going but also to allocate enough funding to get there. Strategies must include decisions about what to do once the goals have been reached. Enterprises must decide whether they will continue to pursue additional security measures or agree that the security in place is good enough. Wheatman proposes that security plans need only include three elements: keeping the bad guys out, letting the good guys in and what he calls “keeping the wheels on,” also known as business continuity.
The third myth is that software has to have flaws. “This is only true if you keep buying software that has flaws. People say that the biggest beta test ever is [Microsoft] Windows,” Wheatman says. Belief in this myth has allowed companies to continue to release software before it has been thoroughly tested. According to a National Institute of Standards and Technology study, removing a software defect after a system is operational can cost two to five times more than if the defect were fixed during the final quality assurance testing, he points out. In addition to the costs, there are only a limited number of engineers—500 worldwide by Gartner estimates—who are knowledgeable enough to find the vulnerabilities.
“This problem can be fixed, but it should be done at an earlier phase of development. How do companies fix this problem? Don’t buy software until it is 100 percent. Accept that fact. Make it part of the contract or service-level agreement that the software must work,” Wheatman declares.
“Next year is the year of …” is the fourth myth of information security. Wheatman explains that any number of security approaches could be filled in to complete that sentence. “One year was the year of public key infrastructure. Another year was the year of single sign-on security. Then it was the year of biometrics. Don’t get caught up in the hype cycle of technologies that address information security. Identify which tools are good for you,” he states.
In part, Wheatman blames the media for the promulgation of this myth. He says stories about the latest security technology approaches “sell newspapers,” so they get a lot of publicity. The security methods may have some value, he adds, but the media should make the facts clear. Investing in technology too early can result in a waste of security funds, so he advises organizations to focus instead on their requirements and prioritize their purchases.
Myth number five is that regulations make a difference in security. “Regulations don’t matter,” Wheatman states. “Organizations have to be secure anyway, whether or not a regulation exists. Regulations are not specific. They don’t tell you what to do. What matters are the auditors who tell you what you have to do. Auditors determine the practices, and companies have to work with them and do what the auditors tell them to do.”
Wheatman points out that enterprises must protect the personal data of their customers because loss of confidence for violating clients’ trust can result in lost revenue.
Although regulations are not an impetus for strong security, established standards can be a good starting point for ensuring it, Wheatman admits. These benchmarks should be viewed only as guidelines because organizations are likely to need to tailor them to meet their individual requirements, he warns.
The final belief is that business units that care about security walk the security walk and talk the security talk. “The myth actually is that business units don’t care about security,” Wheatman says. Divisions within companies know that security must be a priority; however, they will not make security a high priority unless security managers explain what is at stake using some key terms. “Security managers have to explain what they care about in the right way to the business unit managers, so they see that it should be a priority,” Wheatman recommends. “Don’t say things like, ‘We’re vulnerable.’ Use business language and say, ‘Customer service can go down.’ Don’t use techno-talk.”
As the importance of information security has grown during the past several years, Wheatman relates, the position of the chief executive officer (CEO) within the context of security has changed. “The CEO’s role has been elevated because the threats have changed and because of regulatory issues. But other positions have changed as well. I recommend that the chief information officer, who wants the technology, and the chief security officer, who looks at the security, are at the same management level within an organization,” he says.
Wheatman has several suggestions for information security managers concerning the types of technologies they should invest in and those they can leave behind. On his “probably don’t need” list for most organizations, he places default passwords, personal digital signatures, biometrics outside of very secure facilities, Tempest shielding, digital rights management software, security posters and 500-page security policies. Documents outlining security should be two pages long, he states.
Several technologies are essential to securing information systems, however. Wheatman recommends host-based intrusion prevention, 802.1x scan and block capabilities for wireless devices, the ability to quarantine outbreaks, security audit capabilities, advanced encryption standards, automated password management, and identification management and control. He also suggests secure socket layer and transaction level security, gateway spam protection, anti-virus scanning software and a business continuity plan. While some of these items may not be required, he says, which ones are absolutely necessary depends on the nature of the organization.
One possible option for businesses seeking to ensure security is outsourcing. Wheatman emphasizes that turning to outside information security firms for help should not be viewed as admitting defeat and recommends that all organizations consider outsourcing at least part of their security tasks.
Enterprises contemplating outsourcing as an alternative should weigh the pros and cons. In general, engaging an outside firm to handle security issues is less expensive than maintaining an internal staff, an important factor when companies cannot afford to employ their own specialists. Additionally, because companies that specialize in security work for multiple clients, they have some of the most up-to-date information about vulnerabilities and threats. This experience can help them circumvent security breaches.
On the other hand, security firms may recommend frequent changes in information security tools, such as firewalls, a practice that can increase costs. Wheatman also points out that some firms hire specialists located overseas, which can be a concern for some companies or agencies. Finally, a company’s culture may not support outsourcing.
Gartner’s research indicates that companies plan to invest more in information security during the next 12 to 18 months in response to growing threats and new regulations. However, analysts predict that company decision makers that do not see threats reduced and feel that their systems continue to be at risk may decide to turn to outsourcing their systems’ security work.
Gartner Incorporated: www3.gartner.com/Init
SANS Institute: www.sans.org
National Cyber Security Alliance: www.staysafeonline.info
United States Computer Emergency Readiness Team: www.us-cert.gov