IT security purchasing decisions are emerging as a complex process in 2003 with auditors, insurers, lawyers and risk managers all being thrown into the mix as liability fears and legislation drive the enterprise agenda.
Vendor selection has shifted to technical standards and international ratings such as the Evaluated Assurance Level (EAL) and Information Technology Security Evaluation Criteria (ITSEC) to satisfy auditors.
Tenix Datagate executive general manager Peter Croft said this new landscape means IT security decisions are business-based, not technical, which is why government and military standards are the new benchmarks in the commercial sector.
Croft said auditors cannot sign off on accounts if they are not confident the data is protected, which is why they are seeking independent certification.
"Just as insured homeowners get a decrease on premiums if they have security in place, the same applies to companies which is why insurance companies will take center stage in IT security decisions in 2003," he said.
In the past, Croft said IT security purchasing has been piecemeal, comprising of "a token effort over here and a firewall over there."
He said that is how most enterprise security has evolved — without structured architecture — but the time for this approach is passing.
In the current climate, Croft said annual IT security audits are essential, but admits spiralling costs do come into play.
Speaking to Datagate customers, which include Australian financial institutions, Croft said their priorities are managing budget and mobile communications because the "richer the 3G service the greater the security risk."
"These days companies want bulletproof, military-level solutions, a requirement that is also being fuelled by the need to protect critical infrastructure such as telecommunications and banking," he said.
Croft said an example is the Anthrax threat in the US via the postal system, which is designed to stop people opening mail.
"The banking system in the US is very fragmented and is state-based; much of it is still done by check and mail, so any threat to postal services has huge ramifications for the financial industry," he said.
Only last year Tenix Datagate launched its range of separate network security (SNS) products, dubbed Veto, which were previously only available to military and intelligence agencies.
The Veto range came out of a research initiative with the Australian Defense Science and Technology Organization (DSTO), the defense equivalent of the science agency, the CSIRO.