The Security Dividend

Now, Equity, which owns and operates apartment building properties, has audits of its enterprise network conducted on a yearly basis, using outside partners such as Neohapsis and Cisco Systems' WheelGroup. Other security partners include VARs Ambrion and Cadre Systems, which helped Equity develop its security strategy.

Equity began its quest to beef up security last year. The company's focus is not unique: Nationwide, IT spending on products and services that safeguard data and networks is up as companies try to protect themselves against threats ranging from annoying spam to costly cyberattacks.

So it's no surprise that VARBusiness' 2003 State of Enterprise Spending survey of IT buying trends shows security-related technologies at or near the top of the list of budget priorities. For example, 57 percent of the companies surveyed said security software technologies will be very important to their overall IT spending in 2003. Security software scored higher than any other software technology, including server/network operating systems, disaster-recovery and database management.

Enterprises are deploying a wide variety of security technologies through their solution providers to make their networks and systems more secure. Spending on products such as intrusion- detection systems, virtual private networks (VPNs), authentication systems, firewalls, content filtering, encryption and antivirus programs is getting the green light at many companies.

Helping to spur the increased investment in those technologies,and in related security services,are threats such as cyberattacks, computer viruses and concerns about contingency planning and disaster recovery. Industry analysts say security,often among the top priorities at IT departments,has taken on even more significance in recent months. And all of that's reflected in companies' IT spending plans.

"If you talk to a lot of companies, they'll say their IT spending will remain flat or, in some situations, decrease. But we've found that the security portion of the IT budgets has been increasing, and it's expected to increase this year as well," says Allan Carey, program manager of information security services at research firm IDC, Framingham, Mass.

Aside from the greater number of perceived threats, several factors are helping drive security spending upward. "Companies are shifting to a more proactive approach to security," Carey says. "And in some industries, such as health care, government regulations are forcing companies to put measures in place to protect the data in their networks."

In addition, many corporate boards are pushing the idea that enterprises must protect their intellectual property and information assets, because they may be held liable by stockholders for breaches of information or if a hacker uses their network or servers to launch damaging denial-of-service or other attacks.

According to an IDC report on security products and services released in February, worldwide IT security spending will increase from $16.9 billion in 2001 to $44.5 billion by 2006, a compound annual growth rate of 21 percent. Security hardware will grow roughly 25 percent per year, from $2.9 billion to $8.9 billion; services will increase 24 percent, from $8 billion to $23.2 billion; and software will rise 16 percent, from $6 billion to $12.4 billion.

Along with the increased investment in technology, there's a growing demand for managed security, consulting and integration services that help companies implement security technologies. "Companies are looking to managed service providers that can act as a complement to their internal security staff, to give them a higher level of protection," Carey says. In addition to installation, maintenance and training services, such teams provide business continuity, disaster-recovery and incident response preparedness services.

Print Protection
Managers responsible for security at companies agree that the focus on protecting the enterprise has taken on a new urgency.

Quad/Graphics, a printing services company based in Pewaukee, Wis., which prints VARBusiness magazine, will increase spending on security products and services by roughly 60 percent this year compared with 2002, says Damian Drewek, director of technical services. Drewek says Quad/Graphics has relied on partners such as SynerComm, a networking and security solution provider in New Berlin, Wis., to implement security systems.

Among the printing company's key security initiatives this year will be the rollout of a server-based intrusion-detection system to protect its network from internal and external threats, Drewek says. Details about how extensive the rollout will be are still being determined, he says.

Another effort will involve "locking down" PCs by using desktop-management systems that let network administrators track such things as software and hardware configurations. That will address the problem of employees downloading software that could contain viruses or present other security threats.

Quad/Graphics is using a VPN based on the Secure Sockets Layer (SSL) protocol to provide secure access to Web-based business applications for 10,000 employees in 23 U.S. production facilities. The product, from Whale Communications, lets users remotely access e-mail and intranet applications. Employees who need access to production applications that are not on the Web employ a separate VPN that uses an IP security client, Drewek says.

Despite ongoing concerns about hacker intrusions and other threats, Drewek says computer viruses remain the biggest problem. "That's what many companies have gotten bitten by the most, and we know we're still vulnerable," he says. As a result, Quad/Graphics has invested heavily in antivirus software. It will add spam-filtering software to the mix, he says, "because spam brings in a lot of the viruses."

Eliminating E-mail
Unwanted e-mail is also a problem for retailer Bealls, Bradenton, Fla. "We'd really like to do something about filtering out spam. It's a nightmare," says George Hiskes, senior vice president of IS at Bealls.

Aside from exploring spam filtering, the company uses (or is planning to invest in) business-continuity systems, intrusion-detection software, antivirus software and digital certificates. Bealls has used outside service providers such as Deloitte & Touche to conduct audits of its security, Hiskes says.

A top priority is protection against viruses. "We got hit pretty hard by the 'I Love You' virus two years ago; our e-mail systems were down for three or four days while we cleaned up all the servers," Equity's Shelest says. "E-mail is crucial to our business. We have up to 3,000 people at all of our properties communicating via e-mail."

Equity is using antivirus products and services from Trend Micro. Other security investments include a VPN from Check Point Software to ensure secure remote access to its network and an intrusion-detection system from ISS to monitor its network perimeter.

Equity also uses use freeware such as Snort, a Linux-based real-time network intrusion-detection system, and a combination of free and commercial auditing tools to evaluate its routers, switches and servers. The company also uses digital certificates to authenticate communication with business partners over an extranet, and is exploring using digital certificates with wireless devices to ensure users' identities and authenticate access to networks or applications.

Sentry Insurance, Stevens Point, Wis., has also taken a multifaceted approach to security, using firewalls, intrusion detection, virus scanning and VPNs as components of its security strategy. Spending on security will be up 50 percent compared with last year, says Eliot Irons, information security manager at the insurance company.

"We're taking a layered approach to security down to the application level," Irons says. "If you have a depth of defenses, you can keep external threats out. You wouldn't believe how many infected [files] are getting stopped by our firewall."

Irons says Sentry is using SynerComm as its major security partner. "SynerComm has given us a central resource for the various security products we purchase," Irons says. "We go to them if we're looking to change something or get new products."

The VAR Comes In
Sentry is not alone in using outside partners. VARs and integrators have become significant players in implementing security technologies and will play an increasingly important role as security strategies become more complex.

"Demand for integration and other security services has tracked with the growth in security product spending," says IDC's Carey. "We're seeing companies looking for outside experts--trusted partners to advise them on the best security practices."

Some security vendors are relying heavily on integrators to get their products to customers. For example, Check Point Software, a Redwood City, Calif.-based supplier of firewalls and VPNs, makes 100 percent of its sales through channel partners.

"Integrators play a key role; we rely on them to help customers deploy and maintain products," says Greg Smith, director of product marketing at Check Point.

Kirk Hanratty, vice president and technology officer at SynerComm, which provides a variety of integration services, says the company is working on security projects with nearly all of its customers. SynerComm provides products in any security category a customer wants and offers security assessments.

"The market for products that make remote access more secure is very hot," Hanratty says. In addition to protecting networks from outside intruders and ensuring the identity of trading partners, companies want to make sure that employees don't get access to applications such as payroll, he adds.

Perimeter Internetworking, a company that provides outsourced IT services to small and midsize companies, also has seen a big increase in demand for security services.

"The cost of security technology is very high, particularly for a smaller company," which has to spend a larger portion of its revenue to protect systems and networks, says Brad Miller, CEO of the Trumbull, Conn.-company. "It's a fight they can't afford to lose, but it's one they really can't afford to fight." As a result, many of them are turning to companies such as Perimeter, which buys security technology from vendors such as TruSecure and then provides shared services to customers.

Among the technologies most in demand, Miller says, are intrusion-detection systems to supplement firewalls, VPNs, secure tokens to identify individual users and antivirus software. One service Perimeter provides is writing custom filters to block new viruses until vendors deliver a vaccine. Another is scanning customers' networks for vulnerabilities.

Brian Cosker-Swerske, CTO at security products VAR Evigi, Dallas, says demand for managed-security services has increased sharply, and he expects the trend to continue as security becomes more complex.

"The security checklist used to include a firewall and antivirus software, and away you went," Cosker-Swerske says. "Now companies want to keep drilling down to make sure they're secure, and they want to test their security at least every quarter. They need to know it's actually working."

Bob Violino ([email protected]) is a freelance writer based in Massapequa Park, N.Y.