Securing the Future

IT security is still at an early stage in the Middle East, but how will the market shape up?

  • E-Mail
By  Mark Sutton Published  November 10, 2002

I|~||~||~|Last month's CRN looked at the state of information technology security in the Middle East today. This month we look forward, to the trends and technologies that will drive the security market in the region. While the true potential of the security sector may not live up to the hype-IDC Europe says that while awareness is on the rise, lack of understanding and confusing vendor messages are hindering spending-security spending in Europe alone is still expected to rise to $5.9 billion by 2006, a compound annual growth rate of 26%.

There are a number of problems facing the security market, many of them driven by this increased awareness of the need for IT security that IDC mentions. Customers are demanding security solutions, but they rarely seem to know what exactly they want-this leaves it up to the reseller to provide a solution, and apart from some specialist companies, there is a serious lack of security know-how in the channel.

||**||II|~||~||~|Saul Steenbok, Aptec's technical support manager for Symantec said: "In this market there is a need to put more focus into training. What we have come across is a lot of unskilled people. [Companies] are hiring people with technical qualifications, for example MCSE, and calling them network security engineers-they are hiring the wrong people for the job."

Aptec along with Symantec has been trying to increase the levels of security expertise in the channel, through the Symantec Partner Programme, which places requirements for a minimum number of engineers within reseller partners that want to sell Symantec products. As a value-added distributor, Aptec is able to shoulder some of the burden of expertise, although the eventual aim is to get the resellers trained up. To facilitate this knowledge transfer Aptec and Symantec have been doing a number of seminars around the Gulf region, but there is also a need for non-product specific security training too, said Steenbok: "What happens is most of these guys have a certain product specific training, so all they will do is push that product, because that is all they know. What we think they need is more vendor neutral training, the Certified Information Systems Security Professional (CISSP) and so on, so they can make informed decisions."

Rama K Subramaniam, director of Valiant, the training partner for specialist security solution provider Paramount Computers, and one of the only companies in the region offering CISSP training, said the rewards for those that do have security training are certainly worthwhile. "A good security professional today, with business knowledge and technical knowledge, as well as with ground level experience-we are talking of engagement fees in the region of $1,500-$1,800 per day."

There is also a need for a different type of technical expert, Subramaniam said-the security manager. While engineers are appropriate for some positions, there is also a demand for the management professional that understands security, can see it as part of a corporate infrastructure, and can oversee it as any other function of management.

There are few companies in the region that are at this stage of acceptance of security, unfortunately, and many companies are not willing to pay for much more than products. Prajit Arakkal, Symantec business unit manager at Aptec explained: "What we have seen is reluctance from corporate customers to take annual maintenance contracts for Internet security products. It has been a tough sell in terms of selling technical support around a maintenance contract. People are more and more interested in getting their network secured, that is on one side, but looking at the return on investment, and what they incur as costs, is not something they have really worked on."

||**||III|~||~||~|To a certain extent, the products are helping to alleviate the need for expertise, Arakkal said, with products such as Symantec Enterprise Security Manager that provides automated administration of security functions, but there is still a need for support that customers have yet to be convinced of. "If the deployment is right, it is an automatic solution, most of the time, you really don't require manual intervention, but at some point in time you just need to pull out reports and so on, to make sure everything is running-the purpose of an annual maintenance contract is should something happen, they have always got back up," he said.

The products themselves are also proving a challenge, especially with regard to selling solutions that are anything more complicated that anti-virus or firewalls. "There are a couple of partners that take a phase by phase approach-they get into an account, and say 'first you require a firewall, then an anti-virus programme, then intrusion detection,' and so on, but probably 80-90% of resellers are taking an opportunistic approach, in the sense that someone comes to them with a requirement for an anti-virus programme and they just deliver it," Arakkal said.

"An ideal situation would be where the customer can make the decision as to what they want, rather than have the reseller come in and push the product," Steenbok continued. "The customer should be able to evaluate it."

There is also a need for vendors to simplify products, according to Daniel Nufer, marketing director of Comguard. He said that especially as security requirements become more and more complex, it is harder to tie elements together in a holistic, multi-vendor deployment. He predicts that the future will see consolidation among security vendors which will see some improvement in the situation.

"Security has to become easier," he said. "At this time, there is no system that can fulfil all security needs-it is too complicated, too complex, and there are too many vendors, and that is where you see, at this time, some companies moving together, like firewall/VPN [vendors], they are going to buy IDS companies, and so on."

One approach to simplifying security has been a single-box solution, which has been suggested by some vendors, but this has tended to be rejected because of the inherent risks in a single point of failure. Products do need to become simpler however, says Nufer, to meet the requirements of the customers-in particular the small-to-medium business segment where he sees the greatest need.

"I think the biggest economic risk is small-to-medium businesses, because most [companies] in the Middle East are small-to-medium businesses-in the US there are 5.6 million small businesses who think this can never happen to us. Businesses have to get awareness," he said. "The threat I see at the time is hacker organisations are shifting targets. In the US and Europe, most big government or enterprise organisations have increased their security, so now they are searching around for new targets-and where are the new targets? This is a big economic risk for the Middle East."

||**||IV|~||~||~|Another area of security that is likely to develop is in the realm of consultancy. Although many of those in the field say it is proving difficult to educate the market in the value of consultancy, it is going to be impossible to provide genuine security without providing services other than simple network-based security hardware and software.
Risk Diversion is one of the companies that are offering a wide portfolio of services to enterprises in the region. The company describes itself as an integrated security risk management consultancy, and has services on offer that include network security, computer forensics, money laundering detection, staff screening, business continuity planning and executive management awareness training, among many others. Ultimately the services on offer all boil down to one thing-good corporate governance. Johan Du Plooy, chief executive of Risk Diversion said that as more and more companies think about security, so they are starting to realise that they have a lot more risks than they might have first thought.

"Banks spend a lot of money on security, but not on the people they hire," he said. "They don't do background checks on staff-80% of security problems are internal problems, we see it over and over again."

Du Plooy said that it will take a long time before all the issues around security can be properly addressed, and that a major cultural shift would be necessary before most companies would even admit to security vulnerabilities.

"When you talk to an IT manager about security, he just thinks about hackers-he doesn't think about physical security or business processes etc. Companies are going to get seriously hurt. You have to really look not just at the technology side, but also business processes, at physical security, at threat assessment. It has to become part of the culture, and understood by all. I can't see corporate governance here for a while-it is a good concept, that will evolve, but there is a lot to be done before you can even talk about corporate governance."||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code