By Jon Surmacz
Testing your systems for security holes, a practice known as vulnerability scanning and assessment, is a necessary part of doing business today. Matthew Kovar, director of IT infrastructure security at Boston-based Yankee Group, believes that CIOs would be lax if they didn’t audit their own vulnerability scanning with a third-party. Yankee Group estimates that managed security service providers stand to make great revenue gains over the next four years as the global vulnerability scanning and assessment services market grows from $US65 million in 2002 to $US190 million in 2006.
Kovar says having networks scanned and tested by a third party is akin to having outside accountants check the validity of a company’s balance sheet. Because of a lack of time, personnel, and money, it can be difficult for an internal IT group to keep up with and properly install the latest patches for buggy software. Getting outside help is part of good due diligence for a CIO, Kovar says. “CIOs should be employing third parties to assess the assessments they do internally,” Kovar says. “You do it with your accounting. It’s the same thing for security.”
The return on investment proposition for vulnerability scanning lies in reduced software and personnel costs, reduced costs for deeper security audits and reduced insurance premiums if companies can demonstrate that they are meeting certain security demands from their insurer. Kovar recommends that vulnerability scans and assessments be done on a quarterly basis. The analyst says IT investments represent a financial risk that CEOs and CFOs don’t often consider. For instance, protecting customer data is of ultimate importance to an organisation, but employing the kinds of measures it takes to ensure its security is not always recognised outside the IT group.
“We’ve been saying that we believe the exposure organisations are leaving themselves open to from an IT perspective is the largest liability that is not part of an organisation’s annual statement,” Kovar says.