Adam Hils

With colleague Ruggero Contu, I’ve written a “buying behavior” note hased on a survey administered to security professionals from midsize companies in Western Europe (Italy, Germany, France),  and BRIC nations (Brazil Russia, India and China). This study compares the two groups’ tendencies, and contrasts them with large enterprise behaviors.

Make no mistake: Midsize organizations do security differently than the big guys do, and tendencies (and sophistication levels) differ across geographies. Witness the following “key findings” from the research:

• Western European midsize companies have had higher security budgets in 2009 than BRIC organizations.
• BRIC countries show a propensity to invest more on hardware security products but less on staffing.
• Suite products and single-vendor reliance continue to be important to midsize companies. Outsourcing is expected to grow. Smaller organizations are less likely than their large enterprise counterparts to take a “best-of-breed” approach to security.
• Data security and privacy and infrastructure protection — not regulatory compliance — are still the primary drivers of midsize IT security spending.
• Midsize companies make more purchases through indirect channels than enterprises, buying directly from vendors less frequently.
• Because of limited security staff and granular senior-level budget control, midsize business leaders — more than IT professionals — drive and influence security purchasing decisions. Among the smaller BRIC companies, about two-thirds (66%) had the board of directors or the involved in IT security policy decision making, compared to 54% of their larger counterparts. Among European midsize respondents, 52% had these senior managers involved, versus 37% of larger companies.
• Symantec is the most-popular provider of MSS and security tools, but local players play a significant part.

This report provides a breakdown of respondents’ security budgets (including spending buckets) for 2009, and projected change for 2010; spending drivers; legislative/regulatory influences; organizational budget/spending decision makers; and preferred solution form factors, channels, and vendors.

We also provide advice to vendors looking to serve the midsize market.

The report is available here to Gartner customers.

Gartner colleague Wes Rishel  coined a spot-on term in a recent email thread: “Bonomatopoeia”, defined as something that is ”much more pleasant-sounding than the actual substance would suggest.”

I have some security ones:

• “We have no competitors in the anti-<insert exotic custom malware/threat type here> market!” sounds better than “There is no market. I hope my product can at least be a feature of a larger solution. Someone buy my company, please!”
• “This product is unhackable” sounds better than “no bad guys know about our product, and no customers use it”
• “Our product is carrier class” sounds better than “our product is too complicated for typical enterprise IT security folks”
• “Our product is right-sized for small business” sounds better than “Our product has little throughput and no enterprise-class features. The interface looks like it was designed by a precocious kindergartener”
• “Our solution provides strong positive ROI” sounds better than “I have so much disregard for your intelligence as a customer that I am trying to convince you a security product can have ROI. Not only am I feeding you a line of nonsense, I’m feeding you one that’s not very original or creative.”
• “Enterprise UTM” sounds better than….(see Greg Young for details)

There are at least a thousand more good candidates out there. Which ones do you favor?

Remember those old peanut butter cup commercials from the 1970’s? In security-land, vendors are beginning to combine their chocolate and peanut butter into combined product/SaaS offerings. A spate of acquisitions, including Barracuda’s recent Purewire purchase, and  yesterday’s announced Cisco’s ScanSafe takeout, signal that SaaS offerings are becoming a mainstream SMB delivery mode for certain security controls, and that traditional product vendors understand the need to jumpstart their security as a service portfolios and (hopefully for them) combine two great tastes that taste great together.

I’ve published a Q&A note  (for Gartner customers) about what this means for multifunction firewalls and the SMB customers who love them.  In it we answer the following questions:

• When does it make sense to consider a hybrid security-as-a-service and premises-based solution?
• When building an RFP for an SMB mixed-mode multifunction firewall (UTM), what factors must be considered?

We expect single-vendor multi-mode solutions to come online relatively soon, and offer the following Strategic Planning Assumption:

• By year-end 2012, 20% of new SMB multifunction firewall deployments will include email or Web security-as-a-service.

Vendors are mixing their peanut butter and chocolate because customers anticipate yumminess. Vendors must build in easy-to-manage, seamless goodness, and customers must insist that the finished product mixes well at a low cost and satisfies their appetites without making their IT environments undigestible, security budgets bloated, protection postures slouchy, and users nauseous. Otherwise, rueful network security pros will recall this advertisement .

Gartner’s First Take, which I co-wrote with Peter Firstbrook, just published here.

This is clearly a play by Barracuda to jump further into SaaS, as it must.  SaaS services are increasingly critical in the SMB space. Although SaaS for secure web gateway (SWG), Purewire’s offering, comprises just 4% of the market today, that percentage is growing rapidly. And sub-1,000 seat customers make up 75% of the existing SWG SaaS market.

Just as important to Barracuda’s leading line of business, email security, SaaS offerings constitute well over 30% of the total market, so jumpstarting their SaaS capabilities with a strong platform makes a lot of sense. 

I expect that Barracuda will encounter some challenges as it tries to ratchet up its larger enterprise sales, but you can read about those in the research note.

Personally, I am happy for Purewire, whose execs are Atlanta security veterans (and good folks), most of whom hail back at least to CipherTrust’s halcyon days, and they have innovation in their bloodstream.  I look forward to watching them innovate under a new logo.

My colleague Greg Young recently heard from some Bigfoot videographers after his post “Unicorns, Pixies, and Enterprise UTM”, wherein he correctly stated that, “At Gartner, we haven’t seen enterprises shifting to using UTMs or SMB multifunction firewalls, nor do we forecast that this will happen any time soon.” Remember, Gartner hears from many thousands of customer organizations of all sizes, and rarely do we hear about core UTM deployments among large customers. When we do get inquiries about this, they are almost uniformly about firewall/IPS-only deployments in boxes with “UTM” on the bezels. 

I won’t rehash all the arguments Greg’s critics have put out there. Sure, they probably do know of a few enterprises with full-on UTM deployments, especially if they have (or have had) some connection with an “enterprise UTM” vendor. For the sake of argument, let’s call these “Bigfoot sightings”. People see large hairy creatures, find physical evidence, perhaps even interview corroborating witnesses; at the end of the day, however, actual enterprise (not branch) UTM deployments make real core UTM sightings worth noting for their extreme oddness.Don’t just take my word for it, ask the companies themselves, as we have in our IT Key Metrics studies, wherein

• Approximately 15% of respondent companies have gross revenues greater than $40 billion.
• Slightly more than 33% of respondent companies have gross revenues between $10 billion and $40 billion 
•  The remaining 52% companies/organizations have gross revenues of less than $10 billion.

See the following chart – not just UTM, but any integrated security appliance ranks last on the list of respondents’ 2009 priorities, unchanged from the previous year’s results.. I’ve obscured the list of technologies to avoid “giving away the farm” in a blog post, but suffice it to say that “Integrated Security Appliance” ranks well behind “Intrusion Detection/Prevention” and “Firewalls”, and trails “Spam Filtering” and “Web Site Filtering/Blocking” as well. 

IT Key Metrics Security Priorities, 2009

 What’s most interesting about these results is not that “Integrated Security Appliance” is last in a best-of-breed enterprise security buying world, but that it has not improved its standing year over year.

The United States government is having a difficult time hiring a “cybersecurity czar“, leading to much consternation in security circles; on the other hand,  it also has managed to refrain from launching a super-secret “naughty boy” hacker network.

I recently ran across the NIST (National Institute of Standards & Technology) guide, “Small Business Information Security: The Fundamentals,” a draft created by NIST computer scientist Richard Kissell.

In it, NIST attempts to instruct what it terms “small business” on security best practices. I was happy to see this effort, as small businesses often have real difficulty with creating sound information security foundations. Upon reading the document, I find areas where it could improve significantly.

The first problem with NIST’s approach is that it provides guidance for “a business or organization with up to 500 employees”. Generally speaking, there is a big difference in security needs and sophistication between organizations with, say, 50 employees, and those with 450. This guide seems built for businesses with fewer than 100 employees, without even basic security knowledge.

The piece veers between too-generic-to help –  “When hiring new employees, conduct a comprehensive background check before making a job offer” – to being overly granular, as when the author, in excruciating detail, describes how to do monthly manual data backup.

NIST would be more helpful to small businesses if it started with some of the exercises in the appendices in order to force small businesses to think about security systematically, using criticality of data as a guiding principle. The appendices provide formats for thinking about business data and how to protect it. These are valuable as jumping off points for doing the hard work of prioritizing and building a security strategy.

Instead, the guide jumps rather quickly into “must-do’s” and “should-do’s”, which make little sense in a strategy-less vacuum

Given the nature of this quide, let’s examine NIST’s 10 “absolutely necessary” protections:

• Protect information, systems and networks from damage by viruses, spyware and other malicious code.

This means “get antivirus and keep it updated”, which is a fine way to address known threats, but known threat signatures are the least of the small business’ security problems right now. NIST would do better to advise small companies to adopt endpoint protection platforms, which put several host-based protections in the same software package.

• Provide security for Internet connections.

Yes. Network firewalls are indeed necessary. Small businesses should be advised not to over-buy here,  but to find one that fits their internet gateway needs and that multi-function firewalls (aka UTMs) can provide extra potential email and Web security, issues the NIST guide for some reason gives short shrift.

• Install and activate software firewalls on all business systems.

Yes. However, this is often taken care of by buying the endpoint anivirus stipulated in the first bullet. Buying a separate personal firewall (or implementing the Windows XP version) should be redundant with a modern endpoint protection platform in place.

• Patch operating systems and applications.

 Of course. But setting apps and systems to patch automatically, under all circumstances, can bring systems down, sometimes making the solutions worse than the original security vulnerability.

• Make backup copies of important business data/information.

This advice is fine, as far as it goes. The author should also mention the cloud backup services now available for low cost to small businesses.

• Control physical access to computers and network components.

This is obvious stuff. Advice like “spotcheck for unlocked employee workstations” would be a useful hint.

• Secure wireless access points and networks.

Yep.

• Train employees in basic security principles.

This stuff about training is putting the cart before the horse for many small companies. Before they can train employees about security policies, small companies must have them, and they must be well-considered. Many do not. The kinds of formal security training described in this guide will divert human and capital resources from basic security projects that could protect the business.

• Require an individual user account for each employee on business computers and business applications.

Strong password and password aging tips provided here are okay, but no consideration is given to employees with multiple passwords who write them down on Post-Its and stick them to their terminals. Seriously. Changing strong passwords frequently has potentially negative security ramifications.

• Limit employee access to data and information, and limit authority to install software.

Here’s a place where the author could give real prescriptive advice about using Microsoft Active Directory (for example) to build groups with specific access rights to certain apps or parts of the network.

A long time ago, Aristotle posited his horror vacui theory: Nature abhors a vacuum, therefore empty spaces suck in gases or liquids. This principle was later reinforced but modified by The Second Law of Thermodynamics, wherein it was found that matter moves to the vacuum as it seeks the area of greatest entropy.

When a new strategy, process, or application catches fire within IT departments, a security vacuum (and potential entropy is created). Security vendors scramble to try and fill this vacuum with new or repackaged security solutions. Virtualization and Microsoft Sharepoint are examples of new strategies or applications that have unleashed potential security entropy, creating voids that vendors have created “matter” to fill. As in physics, this is a natural process that repeats again and again.

Individual vendors and end users run into trouble when they misjudge the size and potential negative consequences of the vacuum. Surviving worm mitigation vendors that had sprung up in 2004 to address one vacuum that quickly got overfilled with vendor “matter” moved to their next void, NAC. With the NAC vacuum increasingly addressed by network and endpoint platform vendors, many of the NAC void-fillers are going out of business or desparately thrashing out a new business plan to address the next vacuum.

Leading edge customers, on the other hand, are very good at watching security vacuums form in their IT infrastructures as employees hook their iPhones to the corporate networks or data centers are virtualized without security’s input. In such cases, some hyper-Type A customers shoot first and aim later, buying immature technologies that don’t work as advertised or address a problem that will either will not materialize or will take a different form.

The early days of network IPS provide an example of solutions – if deployed in full blocking mode with too many signatures enabled without copious testing - that often created challenges with false positives and/or network performance slowdown much greater than the security problems they solved. In this case, however, the void was large and risky enough that vendor signature sets got better and end users got smarter, and the market is large and robust today.

Security end user pros, of course, should always seek new potential areas of void and try to minimize entropy, but they must do so deliberately and systematically. Security vendors must realistically assess (and reassess) areas of emerging customer need by asking the following questions:

1) Is the potential security entropy real? Will it cost the customer money, endanger their data, or otherwise threaten their business?

2) How long will it take before the majority of customers realize the problems caused by the security vacuum?

3) How big will the vacuum be, and are other vendors better positioned to fill it?

This week, as we head into Labor Day weekend, I’ve had occasion to reflect on The State of the InfoSec Worker. And it could be worse.

An acquaintance of mine has been laid off after working for a F50 company for 15 years in various roles, including network engineer, Java developer, and software tester, to name just a few. His employer, which offered a fairly generous severance, is willing to reimburse for job retraining and industry certifications. Over the years he’s developed an interest in security, and his question for me was, given the recession and the overall difficult employment employment picture, is security worth going into?

I had the think about it for a while. Believe me, in these last several months I’ve seen information security friends, acquaintances and clients laid off as their employers attempt to make their books balance. Being unemployed, especially in this environment, makes things personally bleak, and the landscape is dotted with very smart security people who are currently between gigs. On the supply side, some vendors (see John Pescatore’s NAC post) are feeling the pinch of security people rationalizing their project portfolios, um, rationally.

Then it occurred to me: The state of information security employment, though not robust, is relatively healthy. Consider this:

• Security as a percentage of IT budgets has risen this year
• Security spending next year is expected to rise a bit, outdoing other technology areas
• Gartner’s numbers for 2010 indicate that personnel will continue to account for about 20% of info sec budgets.
• Security as a percentage of IT budgets has risen
• Security spending on “blocking and tackling” security functions continues, as various inputs, including Gartner customer inquiries, indicate; top customer spending priorities include intrusion prevention, vulnerability assessment, identity management, endpoint protection, and security information and event management (SIEM)

So, given my acquaintance’s particular situation (broad/deep IT experience, time to train/interview, strong skill acquisition capabilities), I advised him that security would be a good field to enter.

Removing my rose-colored glasses for a moment, I know things are tough out there. I also spoke this week to a Director-level IT manager at a mid-sized financial services company whose security staff comprised one full time employee and one full time contractor. Those two, who were responsible for all security functions in a 1,000-person, heavily-regulated company, accounted for less than 3% of the IT workforce, an incredibly low number for the industry. This Director needed assistance finding benchmarks and other metrics to justify hiring the contractor as a company employee for less money than the organization was paying the contracting firm.  When I showed her how much she had underspent other similar firms, she exclaimed “Wow! Yay me!” and went away armed, ready not only to hire the contractor but to make the case for a third resource.

Information security pros are doing more with less, keeping their organizations safe against long odds. On this Labor Day weekend, I hope you get a chance to cut communication with work for a bit, celebrate the job you’re doing under heavy constraints (”Yay you!”), and take some comfort in the expectation that things may soon improve.

“Everything should be made as simple as possible, but not simpler.”

^{- Albert Einstein}

Here’s a bit of a rant:

Security folks love to construct elaborate conspiracies to explain how their sensitive data gets exposed. I have had some conversations recently with security professionals who are convinced beyond a shadow of a doubt that their organizations are being victimized by targeted attacks employing cutting-edge, custom-developed techniques probably designed by disgrunted unemployed computer science PhDs from <name your country-of-choice here>. (These beliefs are most pervasive in the weeks following Black Hat). Here’s some advice: Rather than assuming that a highly-skilled clandestine Eastern European cybercrime ring has perpetrated the most skillful data-grabbing hack ever, check to see if an employee has unwittingly sent an email containing sensitive data to the wrong BCC list.

To some extent, information security professionals must start in any investigation of a security breach with Occam’s Razor (The principle that, all other things being equal, the simplest explanation is the best) in hand. Occam’s Razor is a heuristic that helps security people stick to the facts and not make baseless assumptions.

Humans introduce risk, and your organization is composed of humans. As the facts get clearer, it may well become evident that your organization has been victimized by a gang of Dr. Evils; until evidence crystallizes, however, it’s best not to violate Hanlon’s Razor (”Never attribute to malice that which can be adequately explained by stupidity”).

No security pro can afford to become “The boy who cries wolf.” Using Occam’s Razor as a rule-of-thumb will help avoid that.