6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Edwin Leigh Armistead and Thomas Murphy<br />
Agency Corporate Information Security Officers struggle with choosing to simply use a<br />
compliance scorecard or going farther to secure their enterprise. It is easier to say you are<br />
compliant than to prove you are secure. Both are necessary to deliver cost effective solutions.<br />
Department level initiatives drive security agendas. Each USG department has separate<br />
initiatives, which in turn drive their emphasis or lack of emphasis on IA.<br />
Trends in security focus following the path of Perimeter security, then Data security and most<br />
recently Coding security. This end-to-end focus on secure design, development and<br />
implementation is becoming common in all market segments.<br />
Information Systems Security Lines of Business is not expected to cannibalize short term vendor<br />
sales<br />
Demand for Integrated Security Services is growing. Standalone (Point) security opportunities are<br />
on the decline.<br />
Federal agencies still separate IT and physical services. Merger of IT and physical security is<br />
impeded by silos of excellence. Successful contract teams will be able to assist in integrating total<br />
security services.<br />
The Commercial IA segment of the security industry is characterized by an upper management that is<br />
litigation and profit motivated. Major trends are similar to the Federal segment. Secondly, there is a<br />
very rapid consolidation of best industry players. Cyber security firms are motivated to rapidly develop<br />
and offer full suites of integrated and managed services to meet the demand for full services. Large IT<br />
and network organizations can successfully merge with smaller IA firms if the ingenuity of the “pureplay”<br />
or point (individual security component supplier) IA firm is not lost. This is a particularly<br />
advantageous route to speed up the number and scope of offerings and to acquire experienced IA<br />
and Information Security (InfoSec) personnel who are in short supply. It is reasonable to expect<br />
similar motivation and actions in the Federal IA market for the same reasons. Thirdly, there are<br />
external factors, including a continuing rise in cybercrime, which follows the earlier increase in<br />
terrorism. Significant increases (greater than 200%) in cyber crimes occurred over the last two years.<br />
Over 100 million data records have been lost or stolen. The average cost of each data record loss is<br />
about $180/record giving a total estimate of $18 Billion lost over the period of two years, high<br />
motivation to client and criminal alike. There is also a modest trend toward offering cyber and physical<br />
security in packages of offerings.<br />
Agencies and firms increasingly outsource more security activities each year. They determine that<br />
they can achieve cost savings or a higher level of security at the same cost and tend to increase their<br />
outsourcing budgets over time. The firms that do outsource all or part of their IT security activities will<br />
see an increase in their level of security per dollar of investment. Surprisingly, although they don’t<br />
realize it, agencies and firms that outsource Security Services are also likely to benefit from each<br />
other’s decisions to outsource. IT security outsourcing has been shown to result in a reduction in the<br />
firms production costs and a freeing up of other resources. (Outsourcing refers to the relationship<br />
between a firm and another firm it pays to conduct security activities on its behalf). However, without<br />
careful planning and due diligence, the clients return on investment in outsourcing IT security could be<br />
reduced or become negative as a result of a variety of potential costs including both strategic risks<br />
(e.g., principal-agent problems), interoperability issues and other transactions costs.<br />
There are several emerging areas involving the “social” and risk management aspects of IA/IO.<br />
Clearly, “social” is used here to mean relationships among groups of agents, individual or<br />
organizations that involve proprietary information. At the firm level, there is a need to assure individual<br />
firms that their partners, suppliers, or any organization they communicate with over the Internet are<br />
trustworthy to a defined level acceptable to upper management. The economic benefit of securing all<br />
members of the business group is significant. At the individual level there is growing demand to<br />
secure interpersonal communications involving proprietary information (marketing, strategy and<br />
planning, budgets or financial), email, data and image exchanges, instant messaging, etc. This is also<br />
an area of vital national interest to DoD and other Federal agencies.<br />
In addition, the global environment influencing customers as well as the Federal and Commercial IA<br />
segments is characterized by significant stress. Negative pressure from the environment that Federal<br />
and Commercial organizations must perform under has increased significantly since 2007. The United<br />
States government (USG) and the global international community, nation states, state-sponsored<br />
nongovernment organizations (NGOs), organizations, groups, and individuals have rapidly moved into<br />
15