Identifying security as an issue is one thing; actually doing something about it is another. Where do CIOs go for help in the face of a growing range and number of system threats? According to IDC, they’ll be spending the greatest proportion of their security outlay -- more than a third -- on services this year. What services? Few local security service providers spring to mind, suggesting both that there’s an entrepreneurial opportunity going begging, and that CIOs looking for a third party to ease their security fears face increased anxiety.
Of course, it’s not quite like that. Large organisations are catered for by large vendors and consultancies and, on the face of it, they’re having their needs met. That’s the conclusion you’d come to based on the number of occasions when their security has been breached, at any rate. There are few known instances of large New Zealand organisations falling victim to hacker attacks or virus infection. Not that victims tend to go around publicising the fact.
It’s smaller organisations that IDC is presumably talking about: the ones that have less generous IT budgets, lower public profiles but, increasingly, a need to do something about system security. For the kind of organisation that fits into the top tier of IT user -- banks, for example -- the need for watertight security is obvious. If compromised, the effect on customer confidence would be devastating for business.
Smaller outfits, however, are slower to realise the risk they’re exposed to.
Consequently, it’s their misfortunes that tend to be written about when each new security menace materialises.
If you’ve been lucky so far, perhaps it’s time to stop leaving security to chance. Industry watchers say there tends to be an upsurge in interest in security products and services in the aftermath of the latest overseas attack. But the level of sustained spending on security lags that of US and European organisations. In the European case, that’s undoubtedly partly because governments mandate certain security requirements for organisations that deal with them.
Even so, those in the local security business report a change over the past few months. One longtime service provider says the number of audits the company is performing today is several times that of a year ago. He thinks IDC’s 36% security spending growth estimate is probably conservative.
Another who provides an alert service says Slammer has had the effect of sharpening awareness of the issue. However, after struggling for a number of years to interest local organisations in the service, his focus is overseas. In contrast to local indifference, he says, the EU has noted the potential of his company’s freely available database of security alerts.
A third company eyeing the security opportunity is working with a partner to provide a managed service based on its locally developed bandwidth monitoring software.
The perception that local services are scarce is probably off the mark, then. And in fact, Investment New Zealand surveyed the scene a year ago to see if there was potential to create an e-security cluster. It concluded there were about two dozen local developers working on security solutions. The cluster’s not going ahead, but since last July plans have been under way to establish a specialist lab at the University of Canterbury to boost the quality of local e-security products and training.
It’s mission is to assist with the commercialisation of local security products, provide end users with a means of testing system security, and boost security research. If IDC’s predictions are borne out, the lab will be much in demand.