Although well marketed, most information security products will soon be technically inadequate.

GartnerGroup issued that sobering prediction for the five-year health of the information security market in a recent 12-page report titled “Privacy on the Line.” The report identifies a number of reasons for the technical shortcomings and offers managers ways to protect their current investments in information security.

The short life span
One explanation for the technical failure of security products is market consolidation, according to John Pescatore, GartnerGroup research director.

“We haven’t even begun to see the consolidation in this market,” said Pescatore. “The challenge we see is that because the market is changing so rapidly, no vendor has been able to come up with best-of-breed products.”

The author of “Privacy on the Line” suggests that the biggest problems ahead don’t involve technology, but people.

“The reason most information security solutions will fail is that most people don’t fully comprehend the issues,” according to a Gartner analyst. “The fact is, no technology can solve these problems. You can’t just pour two pounds of security solutions on the problem and expect it to go away. This is a manager’s deployment issue.”

Gartner recommends that the first thing managers need to do when considering information security needs is take a step back from the technology and focus first on the people. This is what GartnerGroup refers to as a “culture of security.” Set aside time each month to perform an information security risk assessment. Information security is no longer a purely technical issue. Involve as many people as possible, especially Web development personnel.

Walking the secure path
Here are some tips for managers in creating a culture of security:

  1. Security policies: With your company’s needs in mind, start building policies regarding security. How long before passwords should be changed? Who will check to make sure that administrative ports are closed? Establishment and enforcement of these policies are critical before any new technology is introduced.
  2. Awareness and training: This is one of the most important steps. After polices are set, everyone in the organization should know their role in protecting information. Develop general awareness of security issues and procedures. Everyone in the organization should know who to call in case of a security breach.
  3. Evaluation: After a security policy is implemented, key personnel should evaluate it on an ongoing basis, checking for violations and evaluating the overall health of the security policy.

Technical challenges
Once managers have mapped out the deployment issues, it’s time to buy and deploy information security products based on your company’s needs. How can technical managers best address these security challenges for the next five years?

Steve Hunt, research director at Giga Information Group , Cambridge, MA, offered this advice: “Network administrators must re-architect the network boundaries. Administrators will be challenged to dismantle the existing hard and clear boundaries of a firewall, giving users outside the firewall the same privileges as those behind the firewall.”

Hunt also cautioned managers not to rely on firewalls as the sole means for authentication.

“Appropriate security doesn’t always mean a firewall,” says Hunt. “In fact, we will see authentication features embedded in routers, Layer3 switches, and security appliances.”

Strategies for surviving shakeout
The technology for information security is still evolving. So in five years, security solutions will be a lot different than they are today. Here are key survival strategies:

  • Keep a watchful eye on all network traffic. Most security consultants are in agreement on this one: The key piece of the information security puzzle is a good collection of intrusion detection measures.
  • Security appliances will play a key role. Next to intrusion detection, the emerging market for all-in-one security appliances, such as those offered by Cobalt Networks, are predicted to be in high demand in the next five years. Expect to see a boom in these devices by mid-2001.

The final test
As a final consideration, here’s an unconventional suggestion from some of the hackers at L0pht Heavy Industries, now part of the security consulting firm @State.

If you think your Web server is secure, offer a challenge to the hacker community. Though it may seem like an outrageous idea, it has worked for other companies. Recently, a leading tech firm tried this technique. After hundreds of hackers were invited to attack a Web server, the attacks helped the company discover security flaws.

In the words of one L0pht hacker, “Better to find out your server is insecure now then read about it in the paper.”
What do you see happening to the information security market in the next five years? Post a comment below or send us a note to suggest a new topic for discussion.