Since I have worked in this industry, one trend has always been evident – most IT departments can’t, don’t or won’t pay for the very cutting edge developments in security technology. It’s not that they struggle to keep up with these developments, on the contrary, they are the very people who are demanding them, it is that they have different priorities. Technology budget is traditionally focused on performance and delivery rather than security, as that is where the obvious business benefits lie. Security rarely gives a return on investment, it is there to prevent loss; so at best security is not noticed, at worst it is seen as a cost which does not always deliver benefits. When security technology fails to prevent loss, its value is not noticed, its weaknesses are exposed. And this is the industry we choose to live in. As a result of these influences, security budgets are typically single figure percentages of overall technology budgets – 5% is a figure I often hear quoted on large programmes. This can sound like a lot when given in absolute terms, but £20 million is only a big budget until you realise what you have to achieve with it. This is one reason that programmes often end up aligning with a large security vendor, to take advantage of sales discounts and bulk license deals.
Another consequence of the high cost/low return of security technology has been various compliance initiatives, all with good intentions, to try to force industry to be secure. Fines are now levied on companies who do not keep personal data safe, or payment card information encrypted. This only helps security if implemented correctly, but always meets compliance if applied by the book. Therefore, security budgets (where not consumed by overall technology budgets) are often completely spent on compliance, not security. This is clearly sub-optimal for security and industry in general, and yet it is still the only tool available until security is properly valued.
In response to this, we have been through a number of makeovers over the years. I started work in IT Security, until someone removed the technology component and I worked in Information Security. A brief spell in Data-Centric Security until we realised that Information was “Data with value”, and it was back to Information… Assurance. For me, this was the first time my industry had realised that we needed to work WITH business, providing incentives to invest, not just stopping losses. Assurance realises that security is not enough, but that there must be some feedback from the system, some proof of operation. Business is starting to invest more in assurance, dealing as it does with risk, which programmes understand far more easily than direct threats. Risk still requires balancing against costs of course, but have a simpler quantitative correlation than threats. What Security is still missing is adding value, rather than cost, and what Information Security and Assurance do very well is to create data about transactions.
Identity solutions are a fantastic example of this shift in focus, what were previously transactional metadata are now valuable profiles of a customer or member of staff. What was once a logon to an application or group of unrelated logons to several applications is now a complete picture of that user. Identity programmes tend to start as a way to ensure compliance or to enable existing processes to operate more smoothly. What they often end up as are business enabling solutions, allowing businesses to extract more value from their staff and customer base; but Identity is a special case, giving as it does insight into whom the corporation is dealing with. Other security technologies must deal with transactional data of one kind or another. Logging and monitoring solutions are moving into this space, with big data stores enabling more data analysis in shorter timescales. There are others in this space using new evolutions of Big Data processing to create anomalistic detection across entire e-commerce infrastructures, analysing complete HTTP streams on the fly. These solutions recognise that the bad guys will get through sometimes. It’s not about how we stop everyone (Security), or how we show confidence in systems (Assurance), but about how we treat anomalies, those who aren’t using the system as it was intended. Of course behavioural analysis is not just useful in security terms, an indeed we may be in danger of losing focus to those looking at performance and delivery again.
However, I believe we are now on the cusp of another iteration of Security, one which realises that Assurance is also not quite there. Answers on a postcard…