W H I T E P A P E R
The Coming of Age of Client Security: Top Managers Realize They
Have to Lock Down the Point of Entry
Sponsored by: IBM Corporation
Roger L. Kay
January 2003
S U M M A R Y
Although security technology has progressed tremendously over time, awareness of
the need for security on the part of people who use computers — both consumers
and businesspeople — has not in general kept pace. Essentially, there is plenty of
technology on hand, but the understanding of what it does and how to use it has
lagged. However, much has changed since the attacks of September 11. CEOs and
IT managers everywhere drew lessons from the differing fates of companies that had
backup and restore procedures and those that didn't. Data recovery is, of course, only
one piece of the security pie, but as political tensions have increased on the macro
level, this and other security concerns have risen in visibility with top managers. "To
what degree is our data — and therefore our business — safe?" CEOs are now
asking in ever greater numbers and with increasing vehemence. "Just where are we
with security?" they want to know of their CIOs.
This shift in attitude represents an evolution from the pre–September 11 state, which
was characterized by a vague awareness of some subset of security issues but a
misunderstanding of the complete security picture and a widespread lack of adoption
and deployment.
Now managers are beginning to assess their vulnerability and to ask what their
alternatives are.
In most corporations, the security infrastructure is still inadequate and full of holes.
Even the most sophisticated organizations are vulnerable. In one incident, widely
reported in the press, that had an impact of major but unknown proportions — the
degree of penetration was difficult to assess — a hacker from St. Petersburg, the
intellectual seat of the old Soviet Union, broke into Microsoft's network and
absconded with a large number of important files, including, purportedly, an unknown
quantity of Windows source code files. Naturally, Microsoft never advertised the
extent of the damage — if, indeed, it is actually known. And if a company at the
epicenter of the information technology business is vulnerable (and by inference
should know better), truly, no company is safe from attack.
The security threat is growing in several dimensions at once. The amount of value
flowing across the network — in the form of actual money, but also business plans,
intellectual property, and strategic documents — is rising by leaps and bounds. And
value is at risk in less obvious ways. A reputation can be damaged irreparably by an
attack, business can be lost as a result of downtime, and the trust on which ebusiness
is based can be destroyed permanently. To the growing list of imaginative crimes
must be added identity theft, which has become a veritable cottage industry. In
addition, malicious hackers are getting more sophisticated. Malevolent programmers
are not only figuring out more effective ways to harm businesses and individuals but
are also publishing their tricks on Web sites for other less creative, but perhaps more
vindictive, people to find and use.
Gl
obal
Headquart
ers
: 5
S
peen
S
tr
eet
Fram
ingham
, M
A
01701 U
S
A
P.
508.
872
.8200
F
.508.
935
.4015
www
.id
c.
co
m
“To what degree
is our data
and therefore our
business
safe?"
CEOs are now
asking.
The security threat
is growing in several
dimensions at once.