Quocirca Reports | Quocirca Articles | Key Analysts | Questions & Answers
IT Security - Bridging the Gap
Resolving the Paradox of IT Security - Understanding the Dynamics of the European IT Marketplace.
There is a paradox at the heart of corporate IT security. Despite a clear idea that IT security works best when considered within the strategic context of a corporate security policy, companies are deploying products tactically rather than implementing comprehensive security solutions. IT departments are not engaging sufficiently with the business to fully scope security requirements and understand the business risks to be mitigated by any IT security deployment. Meanwhile, the IT industry should shoulder some of the blame for failing to provide products that are secure out of the box.
Key Findings

  • IT security is a business issue, to be solved holistically and from within
    Companies see business drivers as the best starting point for security solutions, with the top two drivers being business continuity and information protection. In addition, the most important security benefits are also customer facing, in terms of improved trust and providing better services. Despite the emphasis on external threats in the media, companies see the major risks as internal, either from human incompetence or computer system failure. They feel an appropriate combination of built-in security features of technology products and better operational processes would enable these risks to be minimised.
  • Business users are not being involved in security decisions
    Despite this business focus, respondents do not see IT security as an area that business users should get involved in, despite noting that the board should play a greater role in policy definition. This implies a contradiction - respondents agree that security is a business issue, but largely they want to treat it themselves.
  • Tactical security solutions are taking precedence over strategic solutions
    Companies are not managing to implement security in the round. While most companies are working towards the definition and implementation of a corporate security policy, only a minority feel it has been implemented adequately. Similarly, the technologies associated with a holistic approach (such as centralised management) have been implemented by less than half of the companies surveyed. Failures are put down to the ineffectiveness of existing products and solutions, and wasted consultancy.
  • Companies want to define, implement and manage their own security
    Companies don't want to depend on others for security: there is very little interest in handing over responsibility to third parties, either for consultancy, deployment or external service provision. This is largely an issue of trust, driven by reputation and personal experience. The only area that companies would feel comfortable handing over any responsibility is in security audits and reviews. This is an area where companies are particularly weak.
  • Cost is the least important criterion for judging security solutions.
    Companies would prefer a one-off payment (or even monthly subscriptions) to yearly licenses, but more importantly, security solutions need to be compatible with the existing infrastructure. Quality, flexibility, success rate and manageability are secondary. This does not mean that cost is unimportant - rather, it is of concern once the other criteria have been met. Respondents would prefer ongoing security costs to be an intrinsic part of IT maintenance. While this is true in the majority of cases, it could be better.
  • Security needs to be provided in the box, integrated and managed centrally
    Just as companies feel that existing products are not as secure as they could be, so they see that major security improvements should come from IT products themselves in the future. Unfortunately, hardware and systems vendors do not have a good reputation in this area, which confirms the feeling that security has been treated as an add-on rather than a primary concern in the past. Integration is the key enabler, in particular to enable the centralised management and control of security, and to provide a foundation for the safe running of the business.