The Issue:

Overview:

It’s been a long time coming, but the indications are that security and information protection are finally within spitting distance of getting the mindshare they merit, based on the only metric that really matters: Cash on the barrelhead.

In volume 1 of our ground-breaking benchmark, "Security and Information Protection: Trends and Organizational Issues", we highlight the acceleration in spending on security and information protection, discuss critical drivers, and drill down into the organizational and operational impacts. Security budgets have grown another 20% since our last benchmark (in 2005), and indications are that double-digit growth will continue through 2008 and beyond. Moreover, that growth is increasingly shifting away from consultants and staff and toward products and services—good news for vendors and providers. Security organizations are evolving as well, with the most significant trend being the shift in focus from “chief security officer” to “chief risk mitigation officer,” mirroring the overall organizational shift in focus from security to risk mitigation.In line with this shift, security teams are picking up responsibility for areas they don’t historically support (such as business continuance and facilities) but which, if not well managed, can increase an organization’s risk. And security remains a great career path: along with this increased responsibility comes a welcome (and sustained) increase in salary. In our upcoming volumes, we drill down into the specifics.

Overview: 

It’s been a long time coming, but the indications are that security and information protection are finally within spitting distance of getting the mindshare they merit, based on the only metric that really matters: Cash on the barrelhead.

In volume 1 of our ground-breaking benchmark, "Security and Information Protection: Trends and Organizational Issues", we highlight the acceleration in spending on security and information protection, discuss critical drivers, and drill down into the organizational and operational impacts. Security budgets have grown another 20% since our last benchmark (in 2005), and indications are that double-digit growth will continue through 2008 and beyond. Moreover, that growth is increasingly shifting away from consultants and staff and toward products and services—good news for vendors and providers. Security organizations are evolving as well, with the most significant trend being the shift in focus from “chief security officer” to “chief risk mitigation officer,” mirroring the overall organizational shift in focus from security to risk mitigation. In line with this shift, security teams are picking up responsibility for areas they don’t historically support (such as business continuance and facilities) but which, if not well managed, can increase an organization’s risk. And security remains a great career path: along with this increased responsibility comes a welcome (and sustained) increase in salary.

Network World: Security, By Andreas M. Antonopoulos, Network World, 3/5/07

Looking at the development of different technologies in the last two decades, I am amazed at the vast difference between how a technology was first envisioned and how it ended up being implemented.

You start with a tightly coupled, hierarchical, centralized design by committee. Invariably, an august organization is chosen to run it: a phone company, the postal service, the government, a big vendor. Examples of this type of design are: X.25, X.500, X.400, PKI and Microsoft Passport (Windows Live ID). The design languishes for years while politics and control issues prevent its implementation. Then some organization, committee or coder takes the original design, strips it down and implements it as a more loosely coupled, decentralized, ad-hoc version. See IP, SMTP, DNS, Lightweight Directory Access Protocol, the Web and OpenID.

Banks may be dropping support for online direct connections from Money and Quicken while scrambling to comply with new banking regulations. If you are a user of these software applications you may find that you lose features either temporarily or permanently.

In October of 2005 the FFIEC (a bank regulator) created a regulatory "guidance" that pushes banks towards stronger authentication. Authentication that is appropriate for the risk level is required for transactions involving large sums of money, transfers out of the account or other transactions which may be the target of hackers. That may mean two-factor or other approaches, but any changes must be made by the end of 2006 (see FAQ)

By Andreas M. Antonopoulos, SVP and Founding Partner, Nemertes Research Inc.
March 3, 2006

IBM (NYSE:IBM, http://www.ibm.com), in collaboration with Novell (Nasdaq:NOVL http://www.novell.com) and privately held Parity Communications (http://www.parityinc.net/), announced the launch of project Higgins (http://www.eclipse.org/higgins/). Higgins is an open source framework for
user-centric identity management which highlights the increasing importance of identity management and federated identity.

User-centered identity management puts users in control of their personal information, able to decide how much information they provide to third parties such as banks, doctors and retailers. A user of Higgins may have many different identity contexts – personae – each of which is compartmentalized. The user has an aggregated view of all of these contexts, greatly increasing the user’s control. Banks, doctors and other providers who require identity information can federate with the appropriate user context, while allowing the user to maintain control over the accuracy and dissemination of their identity information.

* Converge network and security operations centers to focus on the business

By Andreas M. Antonopoulos, Network World, 12/20/05

Network operations and security operations share a single goal: maintaining business availability and protecting business information.

* Cyber-extortion

By Andreas M. Antonopoulos, Network World, 11/01/05

Many companies have faced a scary situation: cyber-extortion, in which hackers will try to extort a fee while holding a company’s data hostage.

By Paul Taylor
Published: July 27 2005 10:38

Once a sleepy IT backwater, identity management has been thrust into the spotlight over the past few years...

According to a recent report prepared by Nemertes Research, the US based research firm, 38 per cent of all enterprises cite identity management as a top-funded security initiative.

By Johna Till Johnson and Andreas M. Antonopoulos, Nemertes Research Inc.

May 20, 2005

Microsoft’s (NASD: MSFT) recently announced distributed-identity infrastructure initiative highlights the growing momentum behind identity management. The initiative, called the Identity Metasystem, is designed to simplify access to corporate resources and protect user privacy across the Internet. The move aligns closely with enterprise requirements: According to recent Nemertes research, 38% of all enterprises cite identity management as a top-funded security initiative, and most organizations that Nemertes considers “leading-edge” in security deployment are focusing on it today.

October 14, 2004

By Johna Till Johnson, president & chief research officer, Nemertes Research

The recent acquisition of Netegrity (Nasdaq:NETE) by Computer Associates (NYW: CA) for $430 million in cash highlights the growing importance of identity management (IM). As companies increasingly seek to automate business-to-business transactions and externalize their infrastructure and processes, identity management becomes key. In a recent Nemertes Research benchmark on externalization, 100% of IT executive participants reported externalizing at least some non-core business functions (finance, accounts payable/receivable, HR, etc), and 89% reported externalizing at least some core business functions. All participants indicated that effective identity management is one of the top requirements enabling externalization.

By Andreas M. Antonopoulos
Network World Data Center Newsletter, 07/06/04

A critical finding in our recently released benchmark, “Extending the Enterprise,” is that securing a data center effectively requires that every element within the data center - from switches and routers to servers and storage - be integrated into an overarching security plan.