ORLANDO, Fla. -- When Gartner Inc. vice president John Pescatore looks to 2004, he sees a couple of things that security administrators need to worry about, and they're not just in the realm of malicious code.
Next year, the security budget for the average enterprise will, for the first time, constitute more than 5% of its overall IT budget, Pescatore said Monday during a session at Gartner ITxpo. So, for many, 2004 will be the first year that security spending shows up on the CIO's pie chart.
What that means, Pescatore said, is that CSOs had better be ready to quantify what they're doing, in terms as clear as those used by network administrators, who can describe their performance in terms of downtime statistics, or by help desk officials, who can talk about how quickly they resolve system problems.
"I really think the key challenge that we're going to face over the next couple of years is demonstrating that we're delivering some sort of [specific] security service level and defending how much money is being spent to achieve that service level," said Pescatore, who is vice president for Internet security at Stamford, Conn.-based Gartner Inc.
His session, titled "Information Security Scenario," was one of three security presentations. Others focused on cybersecurity threats and security architecture.
In an interview after his talk, Pescatore added that security is always a big draw at the Gartner show. He estimated that generally about 25% of conference attendees come for security. Overall, about 6,000 people are attending this fall's ITxpo, which began Sunday and runs through Friday.
"It's an important topic," said Robert Loomis, an assistant director of IT at the New York State Employees Retirement System, which, as part of the state comptroller's office, is currently working on a security policy. "It's helpful to see this, to kind of confirm the goals that we've got. We've done a good job, I think."
Some of the advice that resonated for Loomis included the notion that organizations should establish enterprise-wide goals before adopting specific rules.
Other advice that was offered includes: Take insider threats seriously. Learn to speak the language of business managers. And don't buy shoddy software -- make vendors demonstrate that their products are secure.
Other observations were less intuitive. For instance, Pescatore said admins shouldn't expect to see smart cards and biometrics become the norm anytime soon. Rather, among the new methods of user authentication, he singled out a different winner, one that involves the use of cell phones. With this method, a user logs into his account, is prompted for his password, and then a text message is sent to his cell phone with an additional code he must key in to the computer.
Another idea Pescatore pegged as a myth is the notion that "security is a journey," not a destination. The saying is one frequently used to communicate the point that organizations should never cease thinking about security. While that may be true, Pescatore said, the journey can't be entirely free flowing.
"We're on a cruise to nowhere," Pescatore said, gently poking fun at those who adopt the journey-not-a-destination mantra. He added, "You better have some waypoints along the way, if you're on this cruise." To address that issue, Pescatore offered some tips on how to quantify security-related metrics. (See sidebar.)
Attendee Robert S. McKeeman said that he found those tips useful and that he enjoyed the discussion of accountability.
"I think that's an issue," said McKeeman, who works on a contractual basis for the cybersecurity division of the U.S. Department of Veterans Affairs. Asked whether he faces the kinds of accountability questions Pescatore described, he said: "all the time."
Others, however, said they would have liked to see more specifics. At the close of the third hour-long session, Don Morrison, director of IT services for Novell Inc., said, "It's difficult in an hour to get to the meat of the issue."
Asked what sorts of details he'd have liked to see, Morrison said that, since he's so focused on his own environment, he finds detailed best practices of other companies to be useful.
Still, he added that it's understandable that that sort of data isn't being shown on slides at the ITxpo: "Of course, security is a real hard area to get case studies for," since most companies don't want to reveal detail about their security operations. Morrison did reveal one fact about Novell, though: The company dealt with 800,000 attempted attacks in August, way up from only 2,500 in May.
"We have done pretty well," he said. And that's with less than 5% of the IT budget.
FOR MORE INFORMATION: