COLUMN

Security pros glean insight from '06

By Dennis Fisher 02 Jan 2007 | SearchSecurity.com Digg This!     StumbleUpon     Del.icio.us

The vast majority of the initiatives laid out in the National Strategy to Secure Cyberspace are gathering dust on the shelf. Sad.

So instead of insulting your intelligence, we're going to enhance it and take a look at some of the important lessons we've learned in 2006. In no particular order, we learned that:

Consolidation is not slowing down. For a while it looked like the buying sprees of the last couple of years were an aberration driven by all of the cash that large security vendors had stockpiled in the booming security market. Not so much.

Symantec has continued to make acquisitions, and plans to do so again next year; IBM announced its presence with authority by purchasing ISS for $1.3 billion; and storage giant EMC bought RSA Security , the most venerable and recognizable name in the industry, for $2.1 billion. Don't be surprised if Microsoft, IBM, Cisco and others continue to add security companies to their holdings in 2007.

Microsoft is serious about the security business. Although its Trustworthy Computing efforts have gotten most of the ink in recent years, Microsoft's move to become a security vendor is no joke either. The company recently split its security group into a technology unit and a business unit, and has made some waves by hiring a number of smart guys like Adam Shostack and Vincent Gullotto . And its willingness to incur the wrath of its security partners over the Kernel Patch Protection mess shows that PR and marketing aren't piloting the ship.

Behind the firewall with Dennis Fisher: Microsoft Kernel Patch Protection should be lauded Microsoft Vista could improve Internet security Oracle should heed critical report touting SQL Server security

Spam is here to stay. Despite the best efforts of a lot of very smart and well-intentioned people, we're no closer to solving the spam problem today than we were three years ago. The latest statistics show that about 90% of global email traffic is spam . Think about that—if nine of every 10 pieces of snail mail you got were junk, you would have abandoned the U.S. mail a long time ago. The fact that we're all still using email is a miracle by itself. Security measures like reputation systems and SenderID have proven useful, but the harsh reality is there's just too much money to be made via spam for it to ever stop.

George Bush doesn't care about cybersecurity. Exhibit A: The top cybersecurity job at the Department of Homeland Security sat vacant for more than a year until Gregory Garcia finally took the post this fall. Exhibit B: The vast majority of the initiatives laid out in the National Strategy to Secure Cyberspace are gathering dust on the shelf. Sad.

Your private information isn't. If the rash of laptop thefts, lost backup tapes and data breaches has shown us anything, it's that both huge multinational companies and government agencies—such as Boeing, Ameriprise and the Department of Veteran Affairs, all who have comprehensive security and privacy policies—are no better at protecting confidential data than the average user is. As one privacy and security expert said to me recently, you should just assume that your Social Security number and credit card numbers have been compromised. As cynical as that is, it's probably not far off the mark. Maybe it's time to think about something radical, like publishing a list of everyone's Social Security numbers. This would eliminate their usefulness as identifiers, thereby making them worthless to identity thieves. But that would solve only part of the problem and would require banks, government agencies and myriad other organizations to purge their databases and assign random identifiers to all of their customers. Even if they started tomorrow, it would likely take years to become effective.

The all-in-one security provider is an endangered species. Symantec's acquisition strategy and the arrival of Microsoft in the market have made this a foregone conclusion. No single vendor has all of the pieces in place to challenge Symantec for supremacy in the security market as a whole. McAfee still has a varied portfolio, but management turnover and legal troubles have hampered its efforts of late. And while CA has a large security presence, it is much more focused on the overall systems management market. Microsoft's arrival on the scene certainly makes things interesting, and portends bad things for standalone antivirus and anti-spyware vendors. Their presence also makes it unlikely that smaller players will get frisky and try to roll up a bunch of acquisitions and present a challenge.

What will we learn in the year ahead? Hard to say, but by the looks of things, it will be just as interesting as 2006.

Tags: Security Industry Market Trends, Predictions and Forecasts,  Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers McAfee survey finds faults in midmarket enterprise security Email archiving vendor sues Gartner over Magic Quadrant Information Security magazine October issue PDF Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry Information Security magazine Security 7 Award winners Security Squad: Privacy gone awry Security Industry Market Trends, Predictions and Forecasts Research Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary