Comdex Panel Debates Security Needs

Well, no, but that didn't prevent security executives from trying to answer the question anyway during a panel called, "How much security is enough?" held Monday morning at the Comdex trade show in Las Vegas.

To be fair, no one in the room expected the panelists to arrive at a firm number. Instead, the discussion served as more of a barometer for where security deployment is now. Analyst Chris Byrnes, vice president of the Meta Group's security division, said that five years ago people were just waking up to security concerns. Today, about 40 percent of organizations are well-secured, 20 percent are beginning to increase their security expenditures, but a good 40 percent still don't really get it.

"Overall security expenditures have increased by about 10 percent in each of the past three years, and security spending now comprises about 4 percent to 10 percent of a company's budget," Byrnes said. "Companies that were merely secure about five years ago are now looking to do things more efficiently, by remaining secure while cutting costs."

Ron Moritz, head of eTrust security products for Computer Associates, said one way companies might do this is by looking for security solutions that cover entire networks and can be centrally managed. But all the panelists agree that such a system requires an organization to have a sound security policy.

id
unit-1659132512259
type
Sponsored post

"We had seven months to respond to warnings about the SQL Slammer virus, but many didn't," he said. "If you don't know what's going on in your network, you can't respond. The technology only helps if you already have the processes in place."

Preventing attacks is about more than just releasing patches. Microsoft has been bundling patches for its Windows operating system and releasing them less frequently to combat hackers who dissemble the patches and write worms based on the vulnerabilities the patch is designed to protect. The idea is that by releasing them in bunches, it makes it tougher for hackers to do widespread damage.

But Ben Golub, senior vice president of security for VeriSign, said all the patches in the world, no matter when they're released, won't do much to help the problem if the organization has unsound policies.

"Every network environment looks different, so there's always a level of risk and cost," he said. "You still need to understand what you have and what needs to be fixed."

Helping customers get this message is where VARs, systems integrators and solution providers come in.

"The message our partners try to convey is one of intelligence and control, the idea that risk isn't so much something to be avoided as to be managed," he said.