Andy Jaquith is the program manager for Yankee Group’s Enabling Technologies Enterprise group with an expertise in compliance, security and risk management. Before joining Yankee Group, he co-founded and served as program director at @stake, Inc., a security consulting pioneer, which Symantec Corporation acquired in 2004. Before @stake, Jaquith held project manager and business analyst positions at Cambridge Technology Partners and FedEx Corporation.
Prat: Where is security headed?
Andy: Security is going hell in a hand basket. Two big reasons –
- Life is a lot worse on the client side. New forms of attacks on desktop, not traditional malware, but next generation stuff – high variance, low frequency things. Vista has done many things right in this regard, but most won’t be upgrading to Vista immediately.
- Data – massive increases in reported data breaches. Disclosure laws are forcing this to some extent. Some of these breaches are insidious – they can’t be solved easily. Software/tools help but partially. It also comes down to taking a hard look at data, knowing what you have, what you should be collecting, how you are safeguarding – the whole lifecycle.
Prat: You brought up the data issue. Most folks don’t realize how hard it is, and single tool or encryption does not solve the problem. Is there an analogy to capture this?
Andy: I’ll give you an analogy. Personally identifiable or customer information is like asbestos. It is toxic when airborne, and infects for ever. It can cause black lung disease. To solve this problem, masks help temporarily, but really to solve it you need to also build houses differently.
Prat: I did a post recently on the security layered model and its fundamental drawback in not preventing data theft. Has there been a structural hole in the design of security?
Andy: If you turn the clock back to 1998/99, the early SET standard was promulgating a strict stance of not storing actual data. It didn’t work out – equipping all the merchant sites was considered to be too expensive. 8 years later, we are paying for it. We need to have the basic instinct that valuable information should be kept as a last resort, walled off – with a “radon detector” near it.
Prat: You have been both on the buy-side (recommending) as well as sell-side (as a vendor). Are you optimistic that IT staff will “get” data protection/assurance/compliance?
Andy: Certain segments of IT will get it, for example, financial services. The VISA/PCI folks are reasonably smart, and will ratchet screws quite tight over time. The power of contracts has a ripple effect. On the other hand, I am not optimistic about other segments. The health care segment is terminally hosed. They also have the “many supplier- many buyer” problem, so security decisions and their impact are fragmented.
Prat: Thanks Andy – I know every minute counts in your business!
Andy: You are welcome.
Andy is as outspoken as they get. If you have more questions for Andy, please send them by clicking comments below.
For some of Andy’s recent writings, please check out: YankeeGroup.com