As the Homeland Security Act makes its way through the United States Congress, the topic of homeland security has become a relevant discussion in the information security marketplace.
A number of technology vendors have rallied around homeland security as a way to bolster sales at a time when infosec spending is down. The underlying question is whether homeland security will boost infosec technology spending in the short term - or if it will refocus the industry for longer-term success.
Why is infosec spending down?
Across the board, IT budgets have been cut, and information security has not been able to escape the market reality. In addition to a slowing economy here in the U.S., other reasons for IT budget cuts include over-spending in previous years.
For enterprise security managers, the impact of over-spending on technologies has sparked the perennial debate between capital and operational expenditures. The rapid proliferation of firewalls, VPNs and IDSs has created a massive labor requirement for management and monitoring, often in places where operational budgets have already been cut. Already skeptical IT managers have moved management questions to the forefront of technical purchasing decisions.
The logical solution to the increasing operational requirements of information security is to improve - and automate - management and monitoring functions. Given the global and systemic component of these security management platforms, the decision for such purchases moves well beyond the scope and budget of mid-level IT managers. In so doing, security management is selling to a completely different customer.
What does the industry expect?
The initial report from the U.S. Critical Infrastructure Protection Board (CIPB) arrived in September 2002, several months in advance of the passage of the Homeland Security Act. The draft report, entitled "National Strategy to Secure Cyberspace" outlined the infosec-specific roles and responsibilities of enterprises.
In its current form, the report describes in detail numerous processes and decision criteria for enterprises in various industries. Depending on the sensitivity of the information handled, the report explains the degree to which organizations should secure their physical and IT infrastructures. The CIPB encourages strong public-private coordination of information, best practices and other processes through industry organizations.
A number of technology vendors were disappointed by the draft report, because it failed to meet their expectations. After talking to a number of these vendors, I have arrived at the conclusion that many vendors expected the CIPB to prescribe an architecture for information security. This architecture would have mandated firewalls, VPNs, public keys, digital certificates, encryption and security management platforms. Had the CIPB report been so predictive, it would have forced a large number of companies to greatly expand their 2003 budgets for information security, leading to increased expenditures for both labor and technology.
In other words, vendors were hoping for a federal mandate to pull the industry out of recession by putting money back into infosec budgets.
What will actually happen?
The CIPB report doesn't shut the door on reference designs, mandated architectures and recommendations for higher levels of infosec spending. Instead, the report shifts that responsibility to various yet-to-be-created industry groups, and it delays the boost to revenues that technology vendors had expected.
The initial budgets to address homeland security will likely come into effect during the next two years. It may be delayed if economic recovery in the U.S. takes longer than expected. When the infosec budgets come back, security managers will have a much clearer set of objectives, and their role within corporate IT departments will be better understood at all levels.
Conclusion
Richard Clarke has been leading the various incarnations of the U.S. Critical Infrastructure Protection Board since 1998, and he has been clear about the roles that he feels that enterprises' IT departments and technology vendors play in information security. For enterprises, he has pushed for best practices in advance of technologies. He has also been highly critical of IT vendors - from operating systems to networks and enterprise applications - for the lack of security and quality assurance in their products.
Since 1998, the number of attacks has grown, and security technologies themselves now provide the launching points for cyberattacks. Physical security is still the primary risk for IT managers, followed by malicious activity from internal (properly authenticated) users. And a growing number of cyberattacks on domestic enterprises are coming from abroad.
It appears that the topic of homeland security will not provide the much-anticipated short-term boost in information security expenditures. Instead, it will foster the best practices, processes and industry accountability necessary for the long-term success of enterprise security managers.
Dan Taylor is the lead product marketing advisor at Giotto Perspectives ( www.giotto.nu).