In the SearchSecurity.com on-demand webcast Information security: Analysis and recommendations, speaker Jon Oltsik explores common security issues and suggests a series of recommendations to overcome these challenges based upon months of research. Jon is a founder and principal of
Besides the technologies you mentioned in your presentation, which others are promising?
Personally, I like tools that help IT staff automate processes and operations. Patch management is an area that's bound to grow. Security best practices demand that IT keep up with current security patches, but how can you do this if you have 500 geographically dispersed Windows servers? IT managers will have to deploy patch management tools, or they will either be exposed to security vulnerabilities or overwhelmed with work. I also believe that Identity Management – the other IM – has great promise. Managing employee accounts on networks, applications and IT services just doesn't scale. There are too many manual processes that can fall through the cracks. Tools that automate the IM process are in an early stage, but I expect them to grow and prosper.
Can an organization be too secure?
Hmm, that's an interesting question. Security practices must be based upon a thorough risk assessment process. The key here is balance – apply security policies and technologies where they are most needed. It wouldn't make sense for a company to demand two-factor authentication or lock down its Web server unless these tactics are warranted. What I'm saying here is that it may not be possible for a company to be 'too secure,' but it is certainly possible to misappropriate security spending and lose focus.
In your research, did you hear any good or bad security stories you can share?
The scary thing about security is how many bad stories you hear. I heard about misconfigured firewalls. I heard about companies that rarely checked log files and others who had no idea what the log files said. I heard about IDS systems that gave out so many false positives that they were completely ignored. I remember one really smart director of operations telling me that when it came to security, his company was completely lost and lucky they hadn't been attacked. I heard a few good anecdotes, but I can honestly say that the horror stories were dominant. Very frightening.
Is security technology a good sector to invest in?
Well I'm not a financial analyst, but I do see growth in the sector overall. There will be a lot of consolidation and many failures but a few companies are bound to prosper.
For more information, visit these resources:
- White paper: Information security management: Analysis and recommendations
- Best Web Links: Security management
This was first published in June 2003