FUD sells security, doesn't it?

Freeform Comment Tony Lock 7th August - The long and winding road to application service availability

Judith Hurwitz Judith Hurwitz 7th August - Cloud Computing: a work in progress or a silver bullet?

Teblog David Tebbutt 6th August - Hacking through the green jungle

Abrahams Accessibility Peter Abrahams 6th August - Accessibility Conferences

Abrahams Accessibility Peter Abrahams 5th August - Accessible website navigation (part 2)

Abrahams Accessibility Peter Abrahams 1st August - Accessible website navigation

Blogs > IMHO

FUD sells security, doesn't it?

By: Michael Warrilow, Director, Hydrasight
Published: 20th November 2007
Copyright Hydrasight © 2007

Hydrasight has previously noted that it believes the enterprise security landscape will change significantly by 2009. Moreover, we stated that the vast majority of organisations will be unprepared to defend against an increasingly sophisticated blend of security threats by this time.

While I don't want to prejudice your thoughts, because I want your unbiased input, our current research is showing some interesting results. The vast majority of the organisations we're in contact with are feeling comfortable with the state of their external defences at present. Many consider themselves to be at least somewhat mature, or better, in terms of incident (i.e., attack) response, IT risk management and regulatory compliance.

This is a good thing... I hope (assuming they're not in collective denial).

The risk moving forward will, of course, be to remain vigilant and to not become complacent. Successful denial of service (DoS) attacks and/or unauthorised penetration appears low—or so well hidden that it would have to border on conspiracy if it were slipping below the IT radar so successfully. I do know several off-the-record examples of the former, mind you, among some of the largest organisations in AsiaPac... undertaken for profit and political activism.

So, as my title alludes, what's happened to security's drawcard of fear, uncertainty and doubt?

Along with the risk of complacency, and in the absence of a strong 'motivator' (e.g., compliance), there's a risk that overconfidence will lead to falling business interest in IT security. Tempering that, many now describe their overall enterprise security environment to me as 'sound' and 'aware' yet also 'growing more complicated'.

It would seem, overall, that we're maturing.

Click on this link to let me know what you think. If you give me five minutes then I'll commit to share the summary results with you.

PS - Curiously, and just so you don't get anxious, there remains quite a lot of planned activity in regard to what most would consider to be basic elements of infrastructure / application security (e.g., wireless, identity). As with all things, each matures at their own rate.