Re: Analysts: Security's where the money is

[InfoSec News <isn () c4i org>]

Forwarded from: Jay D. Dyson <jdyson () treachery net>

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 11 Feb 2002, InfoSec News wrote:

> Two segments of the computer-security industry should shake off the
> general tech-market malaise and score double-digit growth this year, a
> pair of market researchers said Monday. 

        Curiously enough, the vast majority of such jobs appear to be in
the .gov sector on the East Coast; and most of those opportunities require
a security clearance (which, if you don't have one already, you'll need
some good luck in getting one). 

> Meanwhile, managed security services should grow even faster, according
> to market researcher IDC, which estimates that such network-protection
> providers will take in $2.2 billion in 2005, up from $720 million in
> 2000.

        I'll believe it when I see it.  By and large, managed services
providers are priced well beyond the budgetary limitations of medium and
small businesses (especially in today's economy).  Furthermore, medium and
small businesses tend not to take security as seriously as large scale
firms (all of which already have and can afford their own in-house
talent).

        As one who was previously employed as a Senior Security Engineer
for a Silicon Valley-based managed services firm, I personally don't
believe the managed services market is going to see any serious change in
2002 or 2003.  Given the positively glacial pace at which the commercial
sector embraces genuine security, I honestly don't expect anything serious
to happen in that field until 2004 or 2005.

> The optimistic outlook reflects the realities of a post-Sept. 11 world,
> as companies and governments are turning to the computer-security
> industry to help them secure their most critical information-technology
> systems. 

        Considering the continued and increasing use of Microsoft
products, I find that difficult to believe.

> "Enterprises are looking particularly at defensive security technologies
> such as antivirus software, intrusion detection systems and firewalls," 
> Colleen Graham, industry analyst for Gartner Dataquest, said in a
> statement. "Government and defense will increase spending in reaction to
> public concern about the shamefully low scores received in security
> audits performed in reaction to increased concerns about the security of
> the government IT infrastructure."

        I personally have yet to see a truly aggressive security strategy
put in place on the .gov side.  And that's not for lack of trying on my
part.  Government sectors insist on commercial off-the-shelf (COTSE) crap
over the far more flexible and robust Open Source solutions.  Still worse,
rather than pursuing full-blown audits of their potential vulnerabilities,
they instead focus on a SANS-like "top fifty" set of problems, ignoring a
wealth of other concerns that exist.

        If there's going to be any meaningful change to this problem, it's
going to require a total shakedown...because what's in place now just
isn't cutting it. 

> More telling than the reports, however, may be a pledge made by the
> world's largest independent software company. In mid-January, Microsoft
> Chairman Bill Gates stated in a company-wide e-mail that security had
> become priority No. 1.

        Actions speak louder than words...and the words themselves are too
little, too late.  Hell, I'm *still* left cleaning up the Nimda, BadTrans
and Sircam droppings left around my systems from other people's networks. 

        Granted, Microsoft has recently announced that they're going to
spend a month working on cleaning up their security problems.  Even the
most blindly optimistic soul can't possibly hope to undo decades of poor
security with a 30-day code audit.  That's like expecting years of dental
neglect to be remedied by a five-minute brushing.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `The armed are citizens.  The unarmed are subjects.'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPGer5rlDRyqRQ2a9AQGeAwP/a/xiSm4v8T0tkY9Zm5rHBas1QXEnkR4I
SMgL8JoQUepdujzHWmfFrKrgHjmSR16jMunH+dKdZWEDRxJX/qaXrCWdm6zWHkR5
zBpSbK+BNq/gTgqVdF0kyHZ0xqAFUg0z6qozgl6TjO8gqLrlAVp5mEP7MYg0jwNS
MFxoHbyQv/E=
=GzJB
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.