A Pervasive Problem


In recent years, security has emerged as one of high-tech's most important areas. Solution providers took a closer look at the IT security business and rising customer demand at the CRN Security Roundtable. Here are excerpts from the discussion:

ON SOLVING THE SECURITY DILEMMA:
DAN MCCALL, GUARDENT: The problem is rooted in the dark side of human nature and the complexity of networking. If either of those change in our lifetime, I would be surprised. But over the last couple of years, there certainly is a shift toward [greater awareness of the issue. I think ultimately there are going to be technology improvements, but will the vulnerabilities change? What it really requires is some level of service associated with staying on top of [the issue and being diligent around the protection mechanisms.

CHRIS WYSOPAL, @STAKE: The only way you can truly solve the security problem is to do the stuff right the first time. No amount of firewalling and intrusion-detection systems is ever going to solve it. [Those solutions are sort of making headway against the tide, but they are just a Band-Aid. You need to build the stuff in to make it secure to begin with.

MICHELLE DROLET, CONQWEST: Security is based on policy. We try to get [customers' HR, IT, operations and legal [departments in the same room together, speaking and communicating and actually putting together training programs and doing due diligence around the four E's: evaluate, establish, educate and enforce. You evaluate, you write the policies, you educate the employees, you put the enforcement technology in place, and then you start again every month of every quarter. It's just doing due diligence.


'Good security practice is good security practice, across any kind of environment.' > Kenneth Cavanagh, Vigilinx

ON MICROSOFT/INTEL SECURITY ISSUES:
KENNETH CAVANAGH, VIGILINX: Every app, every operating system can be made more secure or less secure. Expecting a vendor at the chip, application or operating system level to provide complete, robust security is a fallacy.

ON WIRELESS SECURITY:
CHRIS ELLERMAN, MERIDIAN IT SOLUTIONS: Wireless is a new transport medium, and those who understand the technology can apply existing security and best practices with authentication, encryption and all sorts of things. It's an education issue.

CAVANAGH: Good security practice is good security practice, across any kind of environment. If [customers follow the rules and regs and policies and procedures, wireless can be made as secure as it possibly can be.

PAUL ROHMEYER, ICONS: Another question [we ask CFOs and CIOs is, granted you have wireless and it's keeping you up at night, but are you clear on the business need, the rationale for that [technology? CIOs say they like their people to be able to move around, to be able to use the conference room or the cafeteria with their laptop, etc. Does that supposed productivity benefit outweigh the security concerns?

 
>> 'The only way you can truly solve the security problem is to do the stuff right the first time. No amount of firewalling and intrusion-detection systems is ever going to solve it.' > Chris Wysopal, @Stake

 

ON PROVING SECURITY SOLUTION RETURN ON INVESTMENT:
WYSOPAL: I think you can do it for certain aspects. We did it at @Stake for application security. . . . But that's just a small slice of the security market. Network security is something that everyone has to spend money on, and that's the hardest place to get data. No one wants to talk about how many incidents they had and how much it cost them to clean those incidents up.

GARY FISH, FISHNET SECURITY: Part of the problem is information sharing. If a company is down for two days because they have a virus and didn't have virus protection, they're probably not going to tell anybody about it. The next step is putting a [price on what it really costs them not to be able to send an e-mail for a couple of days.

MCCALL: Operationally, you can do it because there are fixed costs associated with looking at a security infrastructure 7x24. So if [a client says, 'I'm going to look at my intrusion-detection systems on a 7x24 basis,' that's going to require a certain level of staffing. So we can say, 'Look how much you'll save if you manage your security with us as a managed security provider.' But they're not spending what they should be spending today to watch their systems 7x24. They have a part-time IT manager looking at a subset of systems, and they're not doing a good job of it.

ON STAFFING:
FISH: In the short term, it's been easier. This year, I hired six engineers from competitors. Either they went out of business or weren't doing well. That's really the first year I've been able to hire people away from competitors like that.