Everyone is feeling insecure about IT security today, and with good reason. In a survey of readers conducted by CSO Magazine, 70 per cent of respondents reported at least one e-crime or intrusion in 2003, and 43 per cent said the number of attacks had increased over the previous year. They estimated
the cost to their ogranizations at US$666 million.
It’s so bad, says IDC, that cost control was supplanted by security as a top concern of IT executives last year.
“”Our latest survey findings indicate that IT spending on security and business continuity has increased at 59 per cent of organizations in the last 12 months,”” said Lucie Draper, program manager for IDC’s Enterprise Technology Trends, Vertical Markets Group. “”We believe that despite the economic environment, and in some cases because of the geopolitical environment, the prospects for vendors of security technologies are good.””
It’s great news for security solution providers (SSPs).
Depending on who you ask, a security solution provider can be anyone from an anti-virus software salesperson to a purveyor of specialized tools and methodologies. Virtually anyone can hang out a shingle that says “”Security”” on it.
In fact, said Claudiu Popa, president of Informatica Corp., “”We find that most ‘security solution providers’ are networking companies that put the word ‘security’ in their names. We see a lot of one- or two- or ten-person companies that are essentially networking or integration companies. They provide very superficial service; they fail to configure products adequately.””
That means pro-spective customers, be they resellers or end users, have to do their homework before selecting an SSP.
Charon Systems, a Tor-onto-based IT service provider, is, in its various divisions both a provider of security solutions and a consumer of them. Peter Cresswell, national security practice manager, says that, with his client hat on, he looks for a provider “”who has a vision that matches mine around the necessity of security being a pervasive solution in the space we’re trying to deal with.””
As a provider, he tries to sell the idea that there is no silver bullet. He said, “”The magic point on the network where you put a magic box doesn’t exist.””
Rosaleen Citron, CEO of WhiteHat Inc., a Burlington, Ont.- based SSP, defines the specialty this way: “”It is a company that can provide/recommend all security solutions, whether they be commercial products, freeware, managed services for clients who want security however do not have the resources to handle it themselves, best practices education for their staff, or full services with reports written in English that the executive understands.””
“”This,”” she added, “”is really a brief — believe it or not — description of what a true security provider offers.””
Specialists
Some companies, of course, specialize in specific areas. Security Innovation Inc. (SI), of Wilmington, Mass., for example, focuses on application security, so to its director of security technology and research, Dr. Herbert Thompson, an SSP has a narrower function. It is “”a company that provides value to customers through helping in the software development lifecycle and deployment lifecycle and maintenance lifecycle.””
“”Security has largely been a pain issue (for customers),”” he added.
There’s enough pain that, according to IDC, security consult-ing is one of the most widely used services in businesses of fewer than 1,000 employees, and Gartner has stressed that information security will be an executive concern for the foreseeable future.
That’s why SSPs exist: To ease the pain by working with customers, and their resellers, to mitigate risk in many ways.
“”Customers approach us motivated by buzzword reasons like Sarbanes and PIPEDA,”” Cresswell said. “”We have to do education to explain what it means. Most of the time they’re just saying ‘help’; they acknowledge that security is important, but we’re selling something that doesn’t exactly drive the bottom line.””
For Citron, customers are a bit more focused. “”The clients usually come to us for the security services, assessments, policy, privacy and managed services, with the exception of the mega-companies that have their own security staff and need the commercial products.””
Some want training
Popa’s direct customers often call for employee training in security awareness. “”We regularly train hundreds of employees on a yearly basis and follow up by providing them with the support they need to adopt best practices and protect corporate information assets,”” he said.
“”Because they are often set up to sell products, many resellers overlook the business opportunity of offering training solutions and that can be a costly mistake, not only because it represents lost revenue, but also because it is often the best way to strengthen client relationships to generate additional sales.””
For developers, Thompson said, the cost of deploying insecure applications, with today’s government regulations and attendant stiff penalties for infractions, is what drives them to seek advice.
Resellers, on the other hand, go to SI to provide consulting for customers who buy their platforms.
In fact, consulting engagements are a common theme when it comes to SSPs and resellers. “”Resellers tend to come to us for areas that haven’t reached the magic box level: Identity management, authentication, and architecture issues that require more in-depth knowledge to implement,”” said Cresswell.
Added Citron, “”Resellers tend to come from products with some attached services, although more and more this past year we have calls asking us to attend meetings with resellers and their clients; it gives them credibility to be working with a ‘real security company’.””
But with all of these possibilities, and so many purveyors of security snake oil around, how does a reseller find a trustworthy partner ?
“”A good way for resellers to evaluate a company promoting itself as a security expert is to look at their degree of expertise,”” Popa advised.
“”Are they a newcomer whose product offering is based on the latest ‘hot’ area of security concern (phishing, for example) or do they have a track record of integrity, diversification and effectiveness? The way to evaluate them is to call their clients and ask about the company’s expertise in other areas, their track record of customer service and integrity. Be honest with them and you may be surprised at some of the answers you get.””
Know the people
“”One of the truisms of security is it’s all about the people,”” added Cresswell. “”Meet the people involved. There are lots of (security) certifications out there, and certifications are worth the paper they’re printed on, but if someone is hanging out their shingle without one, ask why.
“”Ask what their security vision is. Discuss ‘what is security’ – people who have been in the business for awhile talk about risk management, and understand the difference between vulnerabilities and risks and threats.””
“”There are a lot of ‘reformed hackers’ who started security companies who are often one trick ponies; they know how to exploit, say, buffer overflows really well, but aren’t sure how to test for other issues,”” Thompson noted.
“”There’s a big credibility issue. When evaluating an application security service provider, ask where did the company come from. You have to look at who the company’s customers are and what they’re saying about it. Find out the skill sets of the company’s employees.””
Citron agreed. “”Your information assets are the keys to your corporate kingdom. Anytime a client wants someone to look at their infrastructure, data, etc., they would be well advised to go through a secure company.
“”Compani