Security: The never-ending battle

It's a never-ending battle for security. But things are looking up, and for those in the business of protecting corporate networks and data, it means making sure all the bases are covered.

Mark Stevens, chief strategy officer of WatchGuard Technologies, said more companies are now thinking about security when implementing an application, not after it.

"We're starting to see people put in new business systems and think about how to do that in a secure way," he said. Contrary to most beliefs, focusing on security while implementing new business systems is cheaper in the long run than trying to tack it on afterwards, he added.

Stevens, whose portfolio includes mapping out product, technology and marketing strategies, believes education is one of the key ways of combating security. He advocates educating businesses on the perils of looking at security only when problems surface.

In an interview with ZDNet UK sister site CNETAsia, Stevens gave his views on the recent attacks against Japanese Web sites by Chinese hackers and suggestions on how IT managers can convince their management to pay attention to security.

Q. A recent WatchGuard study shows that spyware is the top concern among IT head honchos. How has spyware managed to get out of control?
A: Over the last couple of years, the antivirus companies have done a very good job in taking care of worms and viruses. But they've been very slow to respond to spyware.

A lot of people would expect the antivirus companies to respond quickly and be protected, but that wasn't the case. This is because spyware tends to be different from traditional viruses, and is often seen as a gathering tool rather than for malicious purposes. Certainly, early spyware did that: gather statistics about how many users were visiting Web sites. But it quickly mutated and became a technique for getting things like key loggers into people's computers. It just caught a lot of people by surprise, including the antivirus companies.

And so, CIOs suddenly found they had a big problem. There was a scramble to look at anti-spyware technologies and to get them into place quickly. That was what caused the sudden rise in concern over spyware.

Numerous industry surveys have indicated security as one of the bugbears of IT. Is the world really that insecure as we speak?
Yes, it is. The problem is that there is not enough effort put into security design. Wireless is a great example of that. The wireless standards were created without the input from the security folks.

For instance, WEP was a complete failure. If security engineers were engaged in the development of the standard from the beginning, we would have WPA type of security from day one and this would have sped up wireless adoption.

What we need to see in future is more engagement of security engineers in the design phase, and to build enterprise protocol into products.