It was a black day at credit card services provider CardSystems when it became apparent that breaches of its IT security had exposed 40 million Visa and MasterCard customers' details. The attack threatened to destroy its reputation as a trusted third party for the credit card companies.
In the aftermath, CardSystems' CEO John Perry, sought to deflect blame onto its security auditors, Cable & Wireless, for "deficiencies" in checks on the company's electronic defences. C&W maintained there was nothing wrong with its audit process, backed by other security experts who noted that the audit was conducted 17 months before the breach – a lifetime in the constantly changing security climate.
Many organisations now claim to place security audits and penetration tests at the heart of security strategies. These audits are intended to form the basis of a risk assessment – establishing clear business objectives for implementing security controls.
Indeed, at chemicals giant ICI vulnerability scans are run on its Internet-facing technology once a week; it intends to do this for all of its 35,000 systems once a month. ICI's global information security director, Paul Simmonds, says that getting "proactive" is an increasing focus of the company's security spending.
But risk assessments only capture a company's security profile for one moment in time. Every organisation has access to vast amounts of real-time information. Firewalls, anti-virus and intrusion detection systems generate continual alerts which demonstrate their usefulness and inform future purchasing decisions.
However, it is difficult to make sense of this data because it comes from different vendors' products in different formats. "Companies have invested in point products for point threats for so long," says Alastair Broom, line of business head for security at Affiniti. "How do you overlay management technology over that? People have no idea if these security devices are doing the job they're supposed to be."
Some companies choose managed services providers to aggregate this data and compare it to that of their other customers to determine broader threat levels. But some vendors are seeking to help their customers do this themselves. Check Point recently launched NGX, a unified management platform for its security products. NGX is built on a common architecture and code base to enable simplified reporting, even from other vendors' products. "If you have too many [security management] consoles and have to synchronise them all in your mind, you cannot manage things in a reasonable way," says Marius Nacht, the company's co-founder and vice chairman.
Blurring the lines
Even armed with information about the business's priorities and vulnerabilities, the CIO's task of drawing up a security budget is further complicated by the blurring of the lines between "pure" security spending and other IT investments. "The difference in the last year is an acceptance of the challenge of security at an operational level," says Richard Millar, VP for Northern Europe at security technology supplier ISS. Deployment of technology does not always originate from a central IT department, but can come from business units using custom-built applications.
"There is no standard definition of a security cost," says Jason Creasey, head of projects at user group the Information Security Forum. "Over time as security becomes a more integral part of standard IT systems, it gets moved into the overall operational budget." For instance, anti-virus software is now part of the standard build of most corporate PCs.
"More and more security is ingrained into the network, so trying to pull out separate security spend in any IT project is increasingly difficult," adds Broom of Affiniti. "Our vision is that ultimately security will disappear as an autonomous technology."
ICI's Simmonds, whose security budget only encompasses functions done centrally across the whole organisation, agrees: "The more I can give away the happier I am. If you can build security into the business as normal rather than having this ‘magic' called security, people don't realise security has become part of their every day job."