Commentary: Toward a more secure world

By Richard Hunter, Gartner Analyst

Gartner expects that increased security concerns in the wake of the Sept. 11 attacks will stimulate the IT market as industries make investments to guard against the possibility of cyberattacks.

Gartner research shows that the

	See news story: Software makers thrive on Net threats

highest security software investments in 2001 were in the telecommunications and communications industries. In 2002, government, education, information technology and financial services are expected to have the highest security software spending.

Perfect security is impossible, but businesses must aim to provide a level of security that is appropriate to their operational needs. Security is achieved by a balanced focus on several factors such as people, processes and technology. Moreover, it can't be attained by focusing on any one of those factors to the exclusion of the others.

Gartner estimates that average business spending on security worldwide will increase by a factor of two to three within the next few years, and by a factor of 10 by the end of the decade. As usual where technology is concerned, most of that money will be spent on people, policies, processes and procedures.

People are often the weakest links in security initiatives. To solve the "people problem," businesses should do the following:

• Improve employee attitudes about security by encouraging and training them to behave more responsibly.

• Look for ways to "save people from themselves" by exploiting technology that reduces the human factor in security.

An information security policy is a keystone for all companies. However, although many businesses have policies and train employees on them, very few foster a culture of security awareness that promotes the recognition and reporting of security issues.

Technology has its own momentum and consequences. The tools of surveillance and analysis have become small, inexpensive and mobile enough to be almost everywhere within the next few years. In addition, while the right of governments to intrude into personal relationships has not changed, the ability to do so has increased dramatically.

During the next five to 10 years, many technologies will come increasingly into play for security purposes, such as high-bandwidth wireless communications, miniaturized cameras, miniaturized databases, audio recorders and transmitters.

In the post-Sept. 11 world, governments have asked for--and have been granted--new rights to use such technologies, plus data mining, wireless communications eavesdropping, GPS (Global Positioning System) technology and biometric (face, hand, iris) identification. Calls for national identification programs supported by biometric identification technology have increased. The uses to which such identification would be put are undefined. And, ominously, the record of governments in protecting such information from official and private misuse is poor.

Society is at a major turning point. Real danger has coincided with the arrival of powerful, intrusive technologies. Questions about what is enough security and what is too much will play out for years, driven by technology and events that shape people's perception of risk and danger.

Companies must carefully define what they consider to be legitimate ways to gather and use information about themselves, their employees and their customers. Without such a definition, there's no basis for trust.

To protect trust, agreement is needed--worldwide agreement on what constitutes rightful and wrongful gathering and use of personal information, whether in the name of security, commerce or opportunism. Just as the world has established trade agreements, environmental agreements and copyright agreements, the world now needs information agreements.

(For related commentary on business continuity issues following a catastrophe, see Gartner.com. For more on security in general, see Gartner's special report on the topic.)

Entire contents, Copyright © 2002 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.