Re: [ISN] Analysts: Security's where the money is

From: InfoSec News (isnat_private)
Date: Tue Feb 12 2002 - 00:57:52 PST

  • Next message: InfoSec News: "[ISN] Para-Protect Selling Its Contracts To Riptech"

    Forwarded from: Jay D. Dyson <jdysonat_private>
    
    -----BEGIN PGP SIGNED MESSAGE-----
    
    On Mon, 11 Feb 2002, InfoSec News wrote:
    
    > Two segments of the computer-security industry should shake off the
    > general tech-market malaise and score double-digit growth this year, a
    > pair of market researchers said Monday. 
    
    	Curiously enough, the vast majority of such jobs appear to be in
    the .gov sector on the East Coast; and most of those opportunities require
    a security clearance (which, if you don't have one already, you'll need
    some good luck in getting one). 
    
    > Meanwhile, managed security services should grow even faster, according
    > to market researcher IDC, which estimates that such network-protection
    > providers will take in $2.2 billion in 2005, up from $720 million in
    > 2000.
    
    	I'll believe it when I see it.  By and large, managed services
    providers are priced well beyond the budgetary limitations of medium and
    small businesses (especially in today's economy).  Furthermore, medium and
    small businesses tend not to take security as seriously as large scale
    firms (all of which already have and can afford their own in-house
    talent).
    
    	As one who was previously employed as a Senior Security Engineer
    for a Silicon Valley-based managed services firm, I personally don't
    believe the managed services market is going to see any serious change in
    2002 or 2003.  Given the positively glacial pace at which the commercial
    sector embraces genuine security, I honestly don't expect anything serious
    to happen in that field until 2004 or 2005.
    
    > The optimistic outlook reflects the realities of a post-Sept. 11 world,
    > as companies and governments are turning to the computer-security
    > industry to help them secure their most critical information-technology
    > systems. 
    
    	Considering the continued and increasing use of Microsoft
    products, I find that difficult to believe.
    
    > "Enterprises are looking particularly at defensive security technologies
    > such as antivirus software, intrusion detection systems and firewalls," 
    > Colleen Graham, industry analyst for Gartner Dataquest, said in a
    > statement. "Government and defense will increase spending in reaction to
    > public concern about the shamefully low scores received in security
    > audits performed in reaction to increased concerns about the security of
    > the government IT infrastructure."
    
    	I personally have yet to see a truly aggressive security strategy
    put in place on the .gov side.  And that's not for lack of trying on my
    part.  Government sectors insist on commercial off-the-shelf (COTSE) crap
    over the far more flexible and robust Open Source solutions.  Still worse,
    rather than pursuing full-blown audits of their potential vulnerabilities,
    they instead focus on a SANS-like "top fifty" set of problems, ignoring a
    wealth of other concerns that exist.
    
    	If there's going to be any meaningful change to this problem, it's
    going to require a total shakedown...because what's in place now just
    isn't cutting it. 
    
    > More telling than the reports, however, may be a pledge made by the
    > world's largest independent software company. In mid-January, Microsoft
    > Chairman Bill Gates stated in a company-wide e-mail that security had
    > become priority No. 1.
    
    	Actions speak louder than words...and the words themselves are too
    little, too late.  Hell, I'm *still* left cleaning up the Nimda, BadTrans
    and Sircam droppings left around my systems from other people's networks. 
    
    	Granted, Microsoft has recently announced that they're going to
    spend a month working on cleaning up their security problems.  Even the
    most blindly optimistic soul can't possibly hope to undo decades of poor
    security with a 30-day code audit.  That's like expecting years of dental
    neglect to be remedied by a five-minute brushing.
    
    - -Jay
    
      (    (                                                          _______
      ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
    C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) |    = |-'
     `--' `--'  `The armed are citizens.  The unarmed are subjects.'  `------'
    
    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    
    iQCVAwUBPGer5rlDRyqRQ2a9AQGeAwP/a/xiSm4v8T0tkY9Zm5rHBas1QXEnkR4I
    SMgL8JoQUepdujzHWmfFrKrgHjmSR16jMunH+dKdZWEDRxJX/qaXrCWdm6zWHkR5
    zBpSbK+BNq/gTgqVdF0kyHZ0xqAFUg0z6qozgl6TjO8gqLrlAVp5mEP7MYg0jwNS
    MFxoHbyQv/E=
    =GzJB
    -----END PGP SIGNATURE-----
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 04:46:05 PST