X

The rethinking of computer security

Industry watcher Jon Oltsik explains the changes powering the most profound transition in the history of the computer security industry.

Jon Oltsik
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
Jon Oltsik
3 min read
The security industry is in the midst of a transition, one that promises to profoundly change the way businesses think about the subject. In many respects, it parallels how the creation of the Web browser reshaped people's thinking about the potential of the Internet.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


Recall that the advent of the Web browser helped transform the Internet from a clubby insider research vehicle to an essential piece of the global business infrastructure. But the system also needed to become more reliable, easier to use, and better integrated into business processes before its potential could be reached.

Similar demands now attend the field of information security thanks to the accelerating intersection of security and business. One sign of the changing times was on full display last month when Microsoft Chairman Bill Gates was invited to deliver the keynote speech at the RSA Security conference. Microsoft's record obviously stirs passions in the security industry, but there is little doubt that the company definitely gets it now.

Microsoft's record obviously stirs passions in the security industry, but there is little doubt that the company definitely gets it now.
Indeed, Microsoft is investing a good part of its $6.8 billion R&D budget in areas like intrusion prevention, antispam protection and identity management. As if to underscore the depth of Microsoft's newly found commitment, Gates' presentation included not one, not two, but three product demonstrations.

Like browsers, TCP/IP stacks and Web servers in the past, Microsoft will bundle security features into future versions of Windows. While this is necessary to appease customers, Microsoft actually has several goals in mind.

Bundling security will accelerate Windows upgrade cycles. Integrating security into management tools will enable the company to help customers lower operating costs. And aggregating security functionality into servers and applications will help Microsoft address its customers' strategic business needs. The technologies may not be superior, with Microsoft--they rarely are--but as the software maker builds security into the business infrastructure, customers will buy nonetheless.

In comparison, much of the rest of the RSA conference looked like a technology love-in. Vendors were able to talk about how their particular technology widgets could block malicious traffic, but few were able to translate this into business protection terminology and benefits.

In the rest of the technology world, the business-centric technology view is old hat. Cisco Systems is masterful at bundling its products into a grand vision of a network-connected world. EMC has the whole storage industry on the defensive with its Information Lifecycle Management initiative. IBM, Hewlett-Packard and Oracle all talk about increasing business responsiveness and flexibility and reducing operating costs.

For years, the security industry has been somewhat of a geeky oddball in the league of technology nations.
This is not meaningless rhetoric either. These companies still live and die by products sales, but their corporate culture now revolves around how they can help their customers meet business challenges.

This security transition is happening as enterprise companies increasingly demonstrate that they finally understand the need for security. At first blush, this may seem painfully obvious, but the history of the last few years suggests otherwise. Nonetheless, changes are afoot.

For starters, security spending is up and will continue to rise. Second, the scope of potential threats is greater now than ever before, and chief information security officers are responsible for policing an expanding territory that includes wireless LANs, IP telephony and oodles of Web-based applications.

Equally important, the corporate folks who control the purse strings are willing to fund bigger security budgets because they realize that the business itself is at risk.

For years, the security industry has been somewhat of a geeky oddball in the league of technology nations, but the world is changing and security companies need to change their attitudes accordingly. It's no longer just about blocking malicious code better than the other guy. The dialogue has to focus on enabling critical business processes and protecting assets. I'd hate to be the last nerd standing in a competitive battle with Computer Associates, Microsoft, Network Associates or Symantec.