The purchase and support of security technology is still viewed by many organisations as a necessary evil. It is often considered to be a non-productive drain on the IT budget, but can, if not correctly deployed, actually hurt the operational efficiency of the business. This is a sad state of affairs that Butler Group firmly believes has to change, and change very quickly. The existing scattergun approach to IT security that involves organisations deploying and utilising a range of point-based protection solutions is not good enough. It is inefficient, and often leaves security holes that are
ripe for exploitation. For organisations that are really serious about protecting their corporate assets - which all organisations should be - whilst ensuring that their systems and networks remain open to authorised users, it is time to demand a better future from the suppliers of mainstream security solutions.
Leading security vendors are currently promoting Security Management as an approach to the delivery of protection services that will ultimately add control, integration, and enterprise level information to a sector of the technology marketplace where all these elements are often sadly lacking. However, before going overboard in the rush to endorse yet another new approach to IT security, it is important to understand what
is on offer, how its services can be delivered, and what commitment is required in order to get there. When security technologists discuss the subject of enterprise security, and the value that can be obtained from the Security Management approach, what is on offer is in fact a methodology for obtaining better value from existing technology. Nevertheless they have to do better than that, Security Management must provide an approach to enterprise security that involves bringing together people, policy, and technology.
It is also important to recognise that IT security can never be an exact science. On a day-to-day basis it involves achieving a balance between acceptable risk and the operational needs of the business. Our recommended Security Management model recognises that the provision of protection services is no longer the sole responsibility of IT practitioners - it involves everyone that works within the business, all systems users, in fact everyone that has access to business information. The wider picture for corporate protection must also involve compliance and regulatory issues. Therefore, the delivery of an enterprise security culture, as defined by the Butler Group view of Security Management, takes in the integrated use of technology and
links it to visible security policies that define the responsibilities of an organisation's employees.
As will be highlighted throughout this Report, Security Management does involve making better use of existing technology. This it seeks to achieve by underpinning the use of front-line protection products with a central core of information and management facilities that provide integrated security services and information flows. The objectives are to match the protection needs of each organisation with its operational and business requirements, and at the same time to ensure that security administrators and senior IT decision makers are provided with consistent sources of information that accurately match their needs.
At this stage it is important to acknowledge that the fragmented security frameworks that most organisations have in place are already complex, and difficult to manage. The ultimate goal for Security Management is to build a cross-enterprise, unified, security framework - bringing together associated people and policy compliance requirements. Security Management is being promoted as the way forward. In Butler Group's opinion it is certainly not a 'White Knight' solution that will make the troubles of the security world disappear - nothing exists that could get close to achieving those objectives - but without attempting to understate the issues involved, we believe that it is extremely important to support an approach to security integration that has the potential to provide significant benefits to organisations of all types and sizes.

Business Issues

Our founder, Martin Butler, recently wrote an article about Security and Risk in which he looked at putting a price on the expected damage that hackers and other malcontents could cause to the average organisation. In the article he asked the very important question of when does the cost of security become greater than the risk that is hopefully being reduced. He pointed out that in most organisations no one is estimating risk, and that along the same lines, it is unlikely that anyone is measuring cost. Therefore, we must assume that from an economic point of view, security technology will continue to be seen as a liability more than as an asset. Martin was of course right; from a business perspective most organisations see security spend as dead money, they see few tangible bottom-line benefits, and to date, even fewer measurable paybacks.
What this highlights is a technology sector that is tolerated through necessity, but will never be valued in the way that Database Management Systems (DBMS), Business Intelligence (BI), or any other strategic analysis and information management technologies are cherished for their business enablement and information insight capabilities.
However, from a security and business perspective, what is changing is the issue of need, and the more information that organisations hold about their customers, through the use of BI and DBMS etc., the greater the duty of care becomes to protect those assets from being compromised. Also, because of ongoing regulatory and compliance issues, there is a greater requirement to understand what assets are at risk, how those assets are threatened, and what solutions need to be in place to minimise risk and ensure that company managers cannot be censured for not properly securing their systems and the information that they hold.

Quite frankly there was never a chance that the governance and compliance rules that are coming into play across a wide range of other technology areas would give the security industry a miss, and regulatory compliance, along with corporate policy management, will be key drivers of any new business-driven security model. Unfortunately, and we will return to this issue many times within the body of this Report, what most organisations do not have today is the ability to understand how well their systems are protected, or the ability to highlight
those areas of systems and networks that are most at risk. Most of the time the base security products that organisations have deployed perform reliably,
'they do what it says on the box'. Sadly this piecemeal approach is no longer good enough: security systems need to be able to provide adequate protection and then deliver detailed information about how well their service has performed and is performing now. In order to support the complete business needs of the organisation, there is an over-riding requirement to identify and put in place security solutions that empower administrators and business decision-makers to see the whole security picture. At the top level there is a need to know what threats
are being posed against systems and operations, how adequately existing systems, applications, and networks are being protected, where the new vulnerabilities lie, and how security solutions are performing against corporate compliance, business policy, and data protection requirements. At an enterprise level, these are the real business issues that today's point-based security offerings will never be able to address.
Going forward, it will become vital that organisations are able to prove that their information security services are up to the required standards, and that the information that they hold is adequately protected. It will become a precondition of doing business in the future - especially with the inextricable move towards e-Business and e-Government. Even at everyday business levels, organisations that have a need to share information and systems access capabilities with trading partners will demand that those trading partner's security operations achieve acceptable protection levels.

Technology Issues

Recently the CIO of a well-known US company that takes responsibility for maintaining and storing sensitiveconsumer data was heard to complain that the exposure of customer information that was supposedly underits stewardship did not constitute a successful hack of its system, and therefore its security was not at fault.
Without going into the technical rights and wrongs of this particular issue, the fact remains that information from innocent customers was exposed as a result of malicious and fraudulent activity. In the business world there is no point in a supplier of supposedly secure information services complaining or calling for a foul because the opposition failed to adhere to its security rules. In the information exploitation game there are no rules of engagement.
Any security-based solution is only of practical use if its protection cannot be circumvented. In other words, the technology on its own only provides layers of protection, whereas successfully delivered enterprise security has to involve a partnership between well run technology systems, the people who take responsibility for the day-to-day operation of an organisation's business, and the policies that are in place for delivering the company's services.
When considering the key technology issues associated with IT security, and Security Management in particular, it is important to understand one thing from the outset. Security, and the delivery of its services, needs to be ingrained within an organisation's operational culture if it is to successfully support the day-to-day business operation. No amount of investment in technology alone can deliver this. The Security Management methodology and infrastructure management approach that will be discussed in detail throughout this
Report will consistently highlight the fact that the type of enterprise security culture that needs to be supported involves bringing together technology, policy, and people.
Furthermore, we will argue that deploying a Security Management approach to the delivery of enterprise security services does not necessarily involve dispensing with the services of existing security investments, but it does involve making better use of these technology-driven products. Any new investments in technology within the Security Management paradigm will focus on service delivery issues. The Security Management model, as defined in Section Four of this Report, contains three key elements:
1. Feeder systems that provide security protection and deliver security information.
2. Central Security Management functionality that deals with all security information, interrogates systems and networks in order to assess performance, identifies vulnerabilities, and supports the administrative elements of security and its delivery.
3. Reporting services that support all key users and delivers information in the form of reports, alerts, dashboards, and portal services.
The starting point for building an enterprise security culture is to ensure that the technology facilities that are already in place are capable of protecting the business and its operational needs. It begins with risk assessment to establish which areas of the operation need to be protected. It identifies vulnerabilities, and addresses these at a level that will allow administrators and managers to deal with each issue and measure their successes without being overwhelmed by the vast amounts of data that individual security products generate. Then it moves on to building solutions that can match the business needs of the organisation today, tomorrow, and into the foreseeable future.

Market Analysis

IT security, in its many forms, is already a multi-billion dollar market sector (circa US$20 billion last year) that will continue to grow its sales value into the future. Datamonitor predicts that by 2008 that spending figure will have almost reached US$32 billion. Such extremely large numbers are indicative of a technology sector possessing presence, power, and influence, and it is one that will not be ignored.
As we move forward, the market for security services will constantly change in line with technology advances; all of which adds to the complexity of the security model, and to the range of protection services that are necessary to facilitate normal business operations. It used to be the case that organisations felt well protected if they had up-to-date Anti-virus (AV) and anti-spam facilities, Virtual Private Network services, and a firewall in place. However, mobile workers and the flexible use of virtual office facilities - which in many organisations is already a reality of everyday access requirements - put paid to those particular comfort zones. Then, when the added workload of supporting on demand customer and partner access requirements is added into the mix, the real complexities of delivering business focused protection services
start to become even more apparent.
Butler Group believes that the IT security industry as a whole is entering a stage of its evolutionary lifecycle where across-the-board market forces - the range and complexity of business activities; the complex nature of supporting technology infrastructures; and the massive variety and range of threats that constantly present their credentials each day - will force radical change. We have already seen a move towards the delivery of blended (protect against everything) solutions in the AV, anti-spam, and firewall sectors, and with other point-based protection markets moving in similar directions, the conclusion has to be that for public and private sector business users, the days of the single function protection system are coming to an end.
There are no individual security solutions that can stand alone against the range of threats that are presented against business systems every working day. The need to bring in security technology that supports the overall operational strategy of the modern business will push the industry further towards the integrated Security Management approach that this Report advocates. The businesscommunity wants to feel that its operational systems and networks can be adequately protected without disruption to its day-today activities; the leading security vendors wish to move on to the provision of enterprise protection systems. There is a synergy to these goals, but a lack of standards and integration capabilities across the security industry as a whole will continue to cause problems.
The marketplace is ripe for change, but whether it is ready for the radical overhaul of an enterprise security culture that brings together people, policy, and technology only time will tell. The benefits of such an approach are easy and straightforward to define, but will require tenacity and dedication to deliver.

Key Findings