Into the fire

IT security can be a daunting topic - but the reality may be bleaker than many imagine according to Christopher Rouland, CTO of ISS, and Daniel Ingevaldson, manager of technology strategy at ISS, now part of IBM. ACN caught up with them at Hack In The Box Dubai in April.

  • E-Mail
By  Eliot Beer Published  June 1, 2008

IT security can be a daunting topic - but the reality may be bleaker than many imagine according to Christopher Rouland, CTO of ISS, and Daniel Ingevaldson, manager of technology strategy at ISS, now part of IBM.

ACN caught up with them at Hack In The Box Dubai in April.

Given the continuing rise of infection rates and failure of security, does the way companies such as ISS, IBM and others - as well as enterprises and consumers - look at security issues need to change?

Christopher Rouland: One of the assumptions we have to make today is that any client on the internet is currently infected.

The rates are very high - between one in four and one in ten - but when you're doing business on the internet today, you have to assume that the end user has a very high potential of being infected.

We operate from that model: how can we provision security to the end user to make transactions secure for them. So that's one of the big problems we're trying to chase.

I think a lot of the base of the problem we're talking about is the consumer - that is a space that definitely need to change. Whether it's one in four or one in ten - split the difference, call it 20%: it's a pandemic environment.

If 20% of the human population was sick with one disease, we'd be trying to fix that. I don't think this problem has got enough airtime, because these vendors that are providing client security to consumers have failed.

It's now a public safety issue, a public health issue - and unfortunately there's no real business model out there.

The real challenge there is no one wants the phone call: no one wants the consumer to call, because the call costs more than any revenue they'd ever make. On the other hand, there is a big business model for the enterprise.

If there's a business model for securing the enterprise, why are enterprises still infected: is it because the technology is still of mixed quality, or because enterprises themselves are not implementing it effectively?

CR: I'd give you a third answer - the management of multiple vendors' security products is simply untenable. Trying to run a different management console for every security product is where the ball's getting dropped.

So just as we're seeing consolidation in the security space, we're seeing that consolidation solve this problem. One reason is because the Fortune 50 want to spend their money with a few vendors, not with 20 vendors.

The average enterprise has 32 security vendors - you think anyone can get that working? Our customers want to buy more from us, they want us to manage more for them.

Just as people pay someone to monitor alarms in their homes - they don't want the alarm to beep them and tell them their house is on fire, they want it to call the fire department.

Enterprises want spending consolidated with one vendor so they get better value, but also they want more control over their vendor, and they want someone else to manage it.

There's been a lot of interest in attacks against core enterprise applications - is this the next wave of security threats?

CR:
It's not next, it's now! Nick Donofrio, who's basically head of all technology at IBM, refers to application security as "the hackers coming in through the chimney".

It's a funny metaphor, because we never expected them to come in that way - I wouldn't say never, actually, because over the last few years we realised, as we saw the number of vulnerabilities, and as we made web applications easier to write, the denominator became lower to deploy them.

They're happy to get stuff working, they don't make sure it's secure.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code