Security Software, IT Infrastructure and Business Continuity

Home / Logon / About this Site

Security Software, IT Infrastructure & Continuity

glossary

Introduction

Best-Practice Guides

Expert View

Market Research

Management Briefings

White Papers

Search this Area

Call us now to become a certified vendor

Click here to access a vendor Evaluation Report

Management Briefings

Strength through unity: Robin Hollington, Peapod Consulting (February 2010)

A few years ago, I wrote an article for Evaluation Centre on reducing the cost of regulatory compliance. In it I said: “The cost and impact of regulatory compliance is rising. Even conservative estimates predict that compliance expenditure will rise by 22% year-on-year for the next five years.” Well, the cost has indeed continued to rise – whether by 22% or not is difficult to tell as few organisations can extract this data from the overall IT budget, and the credit crunch has skewed budgets. But IT projects have been cut and vendor pricing squeezed, whilst security and compliance costs have remained pretty static, thereby increasing the proportional expenditure from a single IT budget. Until recently, corporate governance oversight was largely a matter for public companies, with the focus primarily on broad topics such as leadership, financial reporting, ethics and operational risk management.

Putting a lock on the cloud: Alf Pilgrim, Clearswift (November 2009)

Cloud-based IT services – such as on-demand data storage and email outsourcing – offer huge cost and efficiency savings to UK organisations. But arguably the greatest barrier to businesses taking full advantage of cloud computing is the issue of security. Recent high-profile breaches of the cloud (an attack on Twitter being perhaps the most publicised) have only served to heighten concerns. It’s true that the potential consequences of a breach of cloud security are catastrophic, and this knowledge has served to make the debate rage even more fiercely. A cloud security issue within an organisation has the potential to be a major business crisis, and against a backdrop of heightened public awareness of data loss and privacy issues such as ID theft, it’s understandable. Yet there’s no denying that cloud computing is gaining momentum and will continue to become more and more mainstream. This year, for example, the UK Government announced that it would be developing a cloud infrastructure (the ‘G-Cloud’).

Looking to the long term: Farhan Mirza, A.T. Kearney (September 2009)

To cope with the financial pressures put on them by the current economic downturn, businesses are increasingly looking at their IT operations for cost savings. In fact, according to a recent survey of 50 organisations by management consultancy A.T. Kearney, a massive 78% of IT executives are under ‘severe pressure’ to cut costs, with a third seeking double-digit cost savings. The report examines whether the cost-cutting measures corporate IT are taking are likely to be effective or even sustainable, when faced with the possibility of a prolonged recession. It finds that 75% of organisations are relying on short-term tactical measures to deal with the downturn – such as deferring spend or cutting back on discretionary expenses – to contain expenditure rather than cut costs that stem from inefficient ways of working. But A.T. Kearney warns that, as business revenue, number of users and transaction volumes continue to fall during the downturn, IT costs will need to reduce even further to track efficiency benchmarks. And while the economic outlook is still unclear, the downturn could, many forecasters predict, be slow and prolonged and last until 2011.

Room for a (new) view: Richard Williams & Gordon Miller, Procertis (June 2009)

Managing IT service delivery doesn’t look like it should be all that hard. After all, this is one of the best codified and constrained areas of activity in contemporary business. The goals, standards and penalties of service delivery are enshrined in service level agreements (SLAs) which spell out the obligations of each party in the relationship, while quantifying the costs and benefits accruing to each. Sadly, despite this structure, service delivery as viewed by the business is notoriously difficult to achieve, while SLAs prove to be a focus for conflict rather than partnership. Why is this so? And what can business leaders do about it? Experience suggests that the underlying problems with IT service delivery can be traced to an incomplete appreciation of what exactly service delivery is, and what it is for. By building a more complete vision, leaders can create service relationships that are more valuable and harmonious. More importantly, they can align themselves with the evolution of the enterprises they serve, ensuring that the business can grasp new opportunities without being held back by IT. This article examines how this can be achieved, while also showing how SLAs might be re-invented to serve the real needs of the people they are meant to benefit.

Doing more for less: Jon Leary, CSA Waverley (April 2009)

Given the economic recession, an inevitable focus for many organisations at the moment is working out how to do more with less. This imperative, combined with growing demands to tackle disaster recovery and security more effectively – not least in light of the seemingly endless stream of data breach stories hitting the headlines lately – means that the pressure is now on to sort out these key IT infrastructure issues despite progressively limited budgets. But for once, there is a straightforward way to kill all of these birds with a single stone. Rising numbers of organisations are recognising that backing up their valuable corporate data on tape is no longer adequate and are instead turning to disk-to-disk backup as the answer. As a result, uptake of this tried and tested digital technology has already jumped to an estimated 21% of the total market this year from a mere 8% last year – and the pace of adoption is expected to increase.

Virtual's a reality: Martin Banks, Bloor Research (February 2009)

Virtualisation technologies – coupled with what Bloor Research is now calling the ‘information exostructure’ – are seriously changing the rules for managing disaster recovery. This is still one of those areas where a large percentage of users seem to believe that it simply cannot happen to them, so there is no need to either plan for it or make any specific provision for it. Now, though, the information exostructure is making planning and implementing disaster recovery strategies a far easier prospect. The key questions that business managers must ask themselves, if they do care to consider the potential for disaster for their businesses and how they might recover from it, is – what would be the impact on the business if something serious did go wrong with our information management environment, and how long could we survive without it? Such obvious questions have little to do with the specifics of the IT infrastructure being used, but they are the bedrock on which a disaster recovery management strategy is built.

Are you a vulnerability?: Daniel Dresner, NCC (October 2008)

The biggest threat to information confidentiality, integrity and availability is its unacceptable use by staff, contractors, partners and former employees. That’s the conclusion of a recent National Computing Centre (NCC) ‘survey of surveys’ – reviewed by members and scrutinised by experts. In other words, information security or assurance is, as so many like to announce, a people problem. But it’s not just people! There seems to be a tendency in security to grab at ‘silver bullets’ and focus on the kind of single, limited-vector threats that silver bullet solutions are needed for. But there’s a danger that this attenuates risks to information security into a model that’s too simple to be helpful. Confident slogans that look good in headlines and on T-shirts help us to model complex challenges – but they do not abrogate our responsibilities to maintain a comprehensive view of a problem. This means dealing with people, processes, and technology. Keep models in their place; be tough on both risk and the causes of risk.

When disaster strikes: Chris Potter, PwC (August 2008)

Disasters have shaped history since the birth of mankind. As Homer once put it, the man who runs from disaster does better than he who is caught by it. Saint Anselm observed that disasters teach us humility, while Germaine Greer has speculated that catastrophe is the natural human environment and that we are all programmed for survival amidst it. But within the business and technology context, two things are clear. Firstly, catastrophe is not the natural environment for delicate computer systems. Secondly, computers are not very good at running. So contingency planning is vital to ensure that IT systems can be recovered if they are knocked out by a disaster. You only have to look at world events over the last year to see how fragile our way of life can be. Whether it is the cyclone in Burma, the earthquake in China or last summer’s flooding in Tewkesbury, the news is often dominated by disaster stories. Most scientists believe that the climate is changing and this will make natural calamities more frequent and more severe. So, disaster recovery has never been more important.

Unseen enemy: Steve Nimmons, Atos Origin (May 2008)

I recall (approximately eight years ago) reading an interesting poster on social engineering at a well-known electronics company in California. This wall-chart communicated sensible advice for dealing with unsolicited phone calls, ‘chance’ conversations and the importance of discretion when discussing corporate matters on planes, trains and automobiles. Topics such as tail gating, the ‘risk of gallantry’, the social and psychological tricks used by experienced practitioners to project ‘belonging’, the need for discretion and vigilance in public spaces and of course ‘clear desk policies’ were explained in concise, relevant and accessible language. In this way, workforces across this and other enterprises were equipped to deal with the primary aspects of corporate social manipulation. Using inhouse and industry standards, they shared the wisdom of primary threats, expected behaviours and above all encouraged staff training and awareness.

Working the web: Cliff Mills, PMP Research (March 2008)

Web analytics is the process of analysing the behaviour of visitors to a website. The aim is to help organisations maximise the value of their internet marketing and improve the design of their website. By understanding visitor behaviour, organisations can tailor their marketing initiatives to attract, retain and grow the value of customers. To see how companies are progressing in using this relatively new marketing tool, PMP Research surveyed a cross-section of leading organisations for their opinions on the use of web analytics software. For the majority of organisations (80%), the analysis and activity monitoring of their websites is undertaken by inhouse staff, with only 6% selecting an external company and 14% using a mixture of internal and external resources.

Sword of insecurity: John Walker, Secure-Bastion (January 2008)

Within a small timeframe, business has evolved to embrace the delivery channels of the internet. Companies increasingly have a globalised footprint, generating vast profits from online e-trade and adding much to the gross national product (GNP) of their respective countries and continents. We also see a wide utilisation of offshore service providers, supporting remote systems and applications and the development of code. The lower running costs offered by the internet are also attractive to business. Many corporate and mid-sized companies are deploying lower-cost IP communications, ranging from pure VoIP to the more popular technology of choice within the mid-sized community, Skype. Overall, in many respects business is doing very well indeed, notwithstanding a downturn in some areas of the global economy.

Putting in storage: Peter Williams, Bloor Research (October 2007)

The near-exponential rise in data storage requirements is an escalating problem, and it manifests itself in soaring costs, degraded performance for backup and retrieval, slower access, and more complex storage management. Storage equipment producers are delighted to sell more systems but even they are beginning to see the spectre of systems becoming unmanageable or unusable, so crippling their customers. This has concentrated minds, and a number of technologies have emerged which counter the effects of the storage explosion (although not its causes). A few companies have patented some aspect of their software but mostly they have adapted existing techniques.

Phishing, pharming and other cyberspace scams:John Hookham, Adrelia (Jul/Aug 07)

Throughout history, confidence tricksters and their scams have always existed. In the age of the internet the old classics are alive and well and new ones have been invented. And despite warnings that con men and fraudsters out there are after your money, millions of normal computer users and many businesses still fall victim to cyber crimes. Some scams are easy to avoid and some are fairly obvious, but others are more subtle, some are downright fiendish and a few are quite simply despicable – preying on the most vulnerable and often desperate members of society.

Business risk: the bigger picture: Martin Atherton, Freeform Dynamics (May 2007)

Many organisations spend a lot of time and money chasing regulation and compliance. But taking a step back and revisiting information management strategies in the context of the broader landscape of business risk could help them address multiple, critical challenges. In fact, many businesses are beginning to adopt a more formal approach to risk management. The more forward-thinking among them are taking a co-ordinated, executive-led approach and appointing a chief risk officer (CRO) – particularly in financial services, where 48% of firms have a CRO in place compared to the overall average of 36%. Organisations are also striving for more co-ordination at a practical level – between physical and IT security, and across security and information management.

As safe as houses: Allan Cooke, Akubra (April 2007)

Most of us are familiar with the concept of domestic security. We understand the value of our possessions, the threats to our home and family, and take appropriate measures. But in the business world, with an intangible asset such as information, how do you achieve similar confidence in your security measures? Do you know what the threats to your information are, and how to protect against them? Security product vendors have a vested interest in casting fear, uncertainty and doubt over the levels of protection organisations have implemented, and would prefer you to solve problems through the deployment of costly solutions. Without the ability to assess the value of information, organisations risk having an expensive and possibly ineffective information security policy. Whether or not their security expenditure is appropriate depends on the specific nature of each business. Organisations therefore need a mechanism for establishing which information assets need protection, and a way of assessing the cost-effectiveness of security measures.

Mind the gap: Colin Butcher, XDelta (December 2006)

We have a support ‘time bomb’ waiting to explode. It has been created by the widespread loss of experienced business continuity staff, the lack of new people coming through to take their place, and across-the-board cost cutting initiatives such as outsourcing and offshoring to the cheapest supplier. Getting good value is important, but cutting costs to the point that quality of service is impacted at the front line will cause long-term damage. In practice, an ‘expertise gap’ is growing between the necessary level of skill required to support companies’ technical infrastructure, the immediately available level of skill with end-user organisations and, crucially, the immediately available level of support from manufacturers and suppliers. This is creating a major risk to the survival of businesses when they have problems with their technology infrastructure or with their external communication mechanisms.

21st century IT: B Challinor/I Barnes, Intelligent Network/ProsolveIT (Oct 2006)

In today’s challenging environment, businesses are being asked to respond faster to competitive and customer challenges; and they are looking to IT to be a differentiator, providing flexibility and speed as they address complex business issues. IT managers are seeking solutions that provide both agility and reduced cost – and service oriented architecture (SOA) is being characterised as the next big thing in IT infrastructure development by both industry analysts and the IT press. Gartner is predicting that by 2007, most companies will adopt SOA frameworks for new applications and will have the infrastructure required for wrapping legacy applications and integration across processes.

Horses for courses: Paul Mellings, Xantus (August 2006)

The term virtual private network (VPN) is well-established in IT parlance, though it can mean different things to different people. For some, it is intimately linked with the internet, whilst confusingly for others it is a way of avoiding all that is bad about the internet. Muddying the waters further, the term also has connotations in the voice networking arena. This article seeks to clarify the differences between various VPNs and discuss the features, benefits and applications of each. So what is a VPN? What is true of all VPNs is that they provide connectivity between two or more places using a previously established shared network infrastructure – rather than having to deploy new, dedicated hardware specifically for this purpose. By ‘overlaying’ new secure logical links or channels on top of an existing physical network infrastructure, it is possible to emulate a dedicated private network without the expense, time and trouble of building one. Hence the term ‘virtual private network’ – it looks and acts like a private network but by being built on shared infrastructure, fundamentally is not.

In the frame: Alan Calder, IT Governance (June 2006)

If information is the lifeblood of the modern enterprise, information technology provides its circulatory and nervous systems. In a ruthlessly competitive business environment, IT makes possible the move from a tangible asset-based business model to an intangible intellectual capital based one. Information and IT provide competitive advantage, improve productivity, reduce costs, support communication and operational capability, and are essential for financial reporting. This should put information and IT near the top of the board agenda: IT should be a governance issue.

IT yesterday and today: Terry Critchley, TAC Associates (April 2006)

The IT world today is far more complex than it was 15-20 years ago when the internet, data warehousing and knowledge engineering were relatively rare. As a result of this complexity, systems migration and consolidation have become key management issues. Back in the 80s the mainframe, under centralised control, still ruled the roost but Unix was being considered for new applications which may have been on a backlog in the mainframe environment. In addition, there was a surge in the availability of application packages, a thing unknown on the mainframe – where nearly all applications were bespoke and very organisation-specific. Many of these programs still exist today as core business applications, often because they do the required job and there is a massive investment in the software.

Building a security awareness 'matrix': John Walker, Experian (February 2006)

It would seem the penny has finally dropped about the threats faced by internet users that could impact both the business and end users alike. The problem for most security professionals is that their non-security colleagues tend to view them as semi, if not totally, paranoid, with a tendency to read far too much John le Carre. In other words, they appreciate the necessity for much of what the specialists have introduced, or wish to introduce, but feel that it simply gets in the way of the real world of business. However, this attitude appears to be changing. In mid-2004, I attended a meeting with an external specialist group to consider the threats posed by online vulnerabilities. At the meting, we discussed the dangers posed by ‘phishing’ attacks and I suggested this would be a significant risk as we moved into 2005/6. In my opinion then, phishing should not have been considered a passive threat, but one with very real potential to damage online confidence.