The Issue:

Overview:

It’s been a long time coming, but the indications are that security and information protection are finally within spitting distance of getting the mindshare they merit, based on the only metric that really matters: Cash on the barrelhead.

In volume 1 of our ground-breaking benchmark, "Security and Information Protection: Trends and Organizational Issues", we highlight the acceleration in spending on security and information protection, discuss critical drivers, and drill down into the organizational and operational impacts. Security budgets have grown another 20% since our last benchmark (in 2005), and indications are that double-digit growth will continue through 2008 and beyond. Moreover, that growth is increasingly shifting away from consultants and staff and toward products and services—good news for vendors and providers. Security organizations are evolving as well, with the most significant trend being the shift in focus from “chief security officer” to “chief risk mitigation officer,” mirroring the overall organizational shift in focus from security to risk mitigation.In line with this shift, security teams are picking up responsibility for areas they don’t historically support (such as business continuance and facilities) but which, if not well managed, can increase an organization’s risk. And security remains a great career path: along with this increased responsibility comes a welcome (and sustained) increase in salary. In our upcoming volumes, we drill down into the specifics.

Overview: 

It’s been a long time coming, but the indications are that security and information protection are finally within spitting distance of getting the mindshare they merit, based on the only metric that really matters: Cash on the barrelhead.

In volume 1 of our ground-breaking benchmark, "Security and Information Protection: Trends and Organizational Issues", we highlight the acceleration in spending on security and information protection, discuss critical drivers, and drill down into the organizational and operational impacts. Security budgets have grown another 20% since our last benchmark (in 2005), and indications are that double-digit growth will continue through 2008 and beyond. Moreover, that growth is increasingly shifting away from consultants and staff and toward products and services—good news for vendors and providers. Security organizations are evolving as well, with the most significant trend being the shift in focus from “chief security officer” to “chief risk mitigation officer,” mirroring the overall organizational shift in focus from security to risk mitigation. In line with this shift, security teams are picking up responsibility for areas they don’t historically support (such as business continuance and facilities) but which, if not well managed, can increase an organization’s risk. And security remains a great career path: along with this increased responsibility comes a welcome (and sustained) increase in salary.

Preliminary analysis of the data for Nemertes forthcoming Security and Information Protection benchmark shows that approximately 63% of participants want to deploy (or more broadly deploy) technologies that they felt they could not, for security reasons. Of those, half named wireless as the technology in question, and over a quarter named collaborative tools, especially IM.

While enterprises are interested in the concept of endpoint control and admission, they are not committing budget just yet. IT executives are looking at both aspects of endpoint control: admission/access at L2/L3 and also policy verification and remediation (is the AV up to date etc.).

Some companies are implementing "poor man's NAC" by using RADIUS or ACLs to restrict access to known hosts. Such solutions may provide some control but become quite unmanageable in large networks. Others are using their VPN clients to do some basic policy checks on endpoints.

But the vast majority are still waiting for Cisco, Microsoft and others to agree on standards and provide broadly interoperable and mature solutions.

Network World Editorials  By John Dix, Network World, 03/22/07

In a recent study about spyware by Nemertes Research, Senior Vice President Andreas Antonopoulos was surprised to find that 16% of the companies examined were not concerned about the threat.

Suspecting that was because they were small companies, he dug deeper, but found they were some of the largest companies analyzed. He also discovered why they weren't concerned: they spent 6% to 8% of their IT budgets on security, twice what the average company spends.

By John E. Burke, Principal Research Analyst, February 15, 2007.

Cisco (NASDAQ:CSCO) this week announced that it would cease development on its desktop network access control (NAC) agent, called the Cisco Trust Agent (CTA) and spin it off as an open-source project. Cisco's decision highlights Microsoft's (NASDAQ:MSFT) growing maturity in providing core desktop security.

Cisco's action is an admission that Microsoft's Network Access Protection (NAP) agent can satisfy enterprise demands well enough that CTA is no longer a viable (profitable) offering. Fewer organizations will need CTA since Microsoft and Cisco agreed last September to have the NAP agent be Cisco's NAC agent for Vista and what follows, and since Microsoft boosted the features for XP's NAP agents, as well. By throwing the code open, Cisco gets out of the business of maintaining CTA for non-Windows systems and unsupported Windows versions, and can shift its attention elsewhere.

Endpoint Security Podcast feauting Andreas Antonopoulos, Nemertes SVP & Founding Partner

* Cyber-extortion

By Andreas M. Antonopoulos, Network World, 11/01/05

Many companies have faced a scary situation: cyber-extortion, in which hackers will try to extort a fee while holding a company’s data hostage.

* Backing up data when it’s scattered among thousands of desktops

By Andreas M. Antonopoulos, Network World, 09/06/05

Few businesses would be reckless enough not to have comprehensive and regular backups of the data in their data centers and servers.

* Identity management can have uses beyond security

By Andreas M. Antonopoulos, Network World, 08/30/05

Identity management and the associated identity servers and protocols are becoming increasingly important components of corporate information-security strategies.

By Andreas M. Antonopoulos
Network World Data Center Newsletter, 06/01/04

Medieval cities were built like fortresses: city walls separated “insiders” from “outsiders,” with the city gate acting as a single point of access control.