The threat of cyber-terrorism has firms spending precious dollars on anti-virus and intrusion-detection software.
The big challenge for chief information officers in 2003 is protecting their firms from a "digital Pearl Harbor," says Jon Gossels, president of SystemsExperts.
"People are concerned about cyber terrorism," says Gossels, whose Sudbury, Mass. firm advises financial institutions on security issues. "Wall Street isn't hiding from that. It's inevitable that it's going to come." The question people are asking, he says, is, "What do we have to do to deal with it?"
In that case, Gossels says, the focus for 2003 among securities firms should be on three key areas, deploying anti-virus technology, building better intrusion-detection systems and developing better configuration and monitoring procedures.
That means more investments in an industry that is facing beleaguered budgets. However, if there's one bright spot when it comes to technology spending, it seems to be the security area.
Michael Turits, a vice president and senior analyst with Prudential Securities in New York, says, as we move into 2003, "Security spending seems to be strong."
A November 2002 CIO Magazine survey found that more that 52 percent of IT executives polled expect to increase spending on security software in the coming months. Only 7 percent expected security spending to decline, making it the most optimistic spending category, surpassing spending expectations on items like computer hardware, data networking, e-business-application software and infrastructure software.
As we move forward in 2003, Turits says, "We will have increasing demand for enabling technology and authentication will become increasingly important, as budgets start to loosen and new services are rolled out." Authentication, he says, is one of the industry's "long-term priorities."
Lloyd Hession, chief security officer at Radianz, which is essentially an extranet that provides networking services, says that the events of Sept. 11 still loom large when it comes to security. That's because firms are coming to grips with requirements under new laws, such as the Patriot Act. "It has influenced the level of accountability in organizations," he says.
Tom Patterson, the partner in charge of security services for Deloitte & Touche in New York, says that the Patriot Act "is certainly a driver" for new security technology. "You have to track a lot more information."
Hession says that because the financial markets are based on confidence, "Firms have got to have their security sorted out." He predicts that it will "only be a matter of time," before businesses see another virus attack similar to the Code Red worm, one of the worst viruses to hit the Internet back in 2001.
Code Red attacked systems running the Index Server extensions of Microsoft's Internet Information Server on Windows NT and Windows 2000. It's estimated to have cost the global economy more than $2 billion to fix.
That's why the focus in 2003, will be on fending off intruders, says Hession.
One "significant trend," he sees is a "move to more and more sophisticated application integration into the supply chain. Companies are opening up old legacy-systems applications and replacing them with newer ones." That means "security is becoming more and more significant."
However, he says, firewalls, the first line of defense, "are becoming less significant." That's because "typically they can't see through encrypted traffic," with the result that firms often "don't know what's going through (the network)," which leads to viruses.
Rather, he says, the focus is shifting to building security around applications and the application server. "Reliance on technically talented people running the firewall is not enough."
The other area that's vulnerable are databases and there will be more focus in 2003 on securing them, especially because of privacy laws, like the Gramm-Leach-Bliley Act, experts say. It imposes on a financial institution an obligation to protect the privacy rights of customers and ensure the security and confidentiality of non-pubic personal information.
The legislation limits disclosure of information to non-affiliated third parties and calls on financial institutions, agencies and regulators to set standards to ensure the security and confidentiality of customer records and protect against unauthorized use of such records or information.
Gossels notes that while intrusion detection is a topic "talked about a lot," there's been "little deployment." But he, too, feels that's about to change. "I do believe 2003 will see the significant deployment of at least rudimentary technology."
Also, firms have been "somewhat haphazard in penetration testing" and that will change, he says. Firms are now implementing policies that "all external applications be tested before they go live. That's a pretty big change from what's gone on before," says Gossels.
Chris Klaus, chief technology officer at Internet Security Systems Inc. in Atlanta, Ga., a security-consulting firm, says he's starting to see a shift from "vulnerability assessment and intrusion detection to more dynamic protections."
He says the standard practice for dealing with security holes has been to apply one of the many patches that vendors issue. He says while that's fine for a single machine, patching multiple units can be time consuming and costly. It requires rebooting and "is a bad thing for production servers. The last thing you want to do is put security patches all over the place."
The solution, he says, is deploying more dynamic technology measures and moving to "automated protection agents that can apply virtual patches."
The virtual agents can roam the network fixing breaches. They're scalable and can be managed using policy-reporting tools. "You can reduce your total cost of ownership significantly over manual protection," says Klaus.
As well, he says, intrusion detection will get more sophisticated than simply a "burglar alarm. Don't just tell me I am being attacked. It would be much better to block the attack." That's where the technology is headed, he says.
Another area that Gossels sees firms dealing with in the coming year is wireless networks (WLANs). "Many organizations still don't have their head around what they have out there." While many firms have official policies outlawing staff from using wireless networks because of security concerns, the reality, he says, is that many departments have already deployed them, so firms need to spend time assessing where and how they can be used and properly secure them.
Gossels adds that firms will also need to pay more attention to the "bi-directional" flow of information. Firms can't focus only on what's getting through their firewall, "You have to protect what's going out."
When it comes to virus protection, he says, you need to approach it like health professionals approach a contagious disease. You need "quick detection, containment and communication," so expect to see more focus on anti-virus detection.
Klaus says this could also be the year that firms consider more outsourcing when it comes to security. "We're seeing, in our business, that managed-protection services are taking off." Financial institutions, he says, realize they "don't want to set up a security-operations center 24X7 ... we'll just outsource it."