By Sean Robson
James Lyne, senior technologist at Sophos recently visited the region and sat down with NME to discuss the challenges facing IT professionals in the coming year
Security is a major issue for enterprises across the world and the region. James Lyne, senior technologist at Sophos recently visited the region and sat down with NME to discuss the challenges facing IT professionals in the coming year.
Why are you visiting the Middle East?
Sophos is a company that for many years has had a focus on Europe and the Americas as our prime areas of growth. Increasingly though we are recognising that the Middle East is a significant opportunity for us as a company and we are putting a concerted effort into developing our presence here.
If you look at data leakage actually, it’s not really a technology problem. That’s not to say you cannot do things in technology terms that help and are good but customers trying to deal with that problem would actually be better off looking at their usage policies and how they serve the user.
I think what has been very surprising to us is that in visiting customers here we find that our value proposition resonates extremely well with people in the Middle East during this present economic climate.
Frankly we are here to retract Symantec, Trend Micro and McAfee’s market share and to introduce a better product into the market.
Data leakage, malware and attacks are on the rise but given the current financial climate IT managers are under pressure to reduce budgets. Why should they invest in security and what should they be investing in?
I think the message we are hearing from prospects and customers in this region is indeed that investment in new technologies, trying to be more proactive is a risk management exercise, and right now given the impact on the bottom line people are prepared to take chances more so than possibly previously and thus are focusing on core areas of security.
So are we seeing customers adopting anti-virus less, but are people taking anti-virus off the systems? Absolutely not, I think it’s broadly accepted that the malware problem is rife and that the impact of malware on people’s systems is extremely detrimental even in the present financial economy.
Are we seeing a slowdown in the adoption of technologies by the market that are not broadly seen by the market as absolutely crucial for example NAC, data leakage compliance? Absolutely.
I think that the standalone market for data leakage prevention (DLP) is collapsing in on itself very quickly. People see these things as optional.
I think there is something in the phrase, ‘doing more with less’. If I look at our product set and the value proposition we are offering our customers is the ability to take the set piece or even a reclining piece of budget where they know they have to spend on anti-malware technology, the more traditional desktop security and to introduce protection against data loss, DLP, to introduce additional capabilities like encryption, compliance and to help them do more with less.
People really value not just product bundles at this time but actual integration. People don’t have extra resources to throw at administration, it’s not just a question of the cost of the license, it really is about the total cost of ownership and running these systems. People need to be smart about where they invest right now.
Traditional end-point security focused on the malware problem domain is a must. The escalation we have seen in the past six months is a serious problem. We are seeing ten times as much malware over this month as compared to all of last year.
It is significantly more complicated prolific malware then we have seen for quite some time. If you look at it at this moment, then every single instance has targeted an individual. It is incredibly difficult to detect much of this malware with many of the traditional mechanisms that were used for IT security.
Then you get signature anti-virus, if it wasn’t dead last year then it really is dead this year. That’s a significant problem for customers and if you combine that with the fact that the malware authors are absolutely targeting intellectual property, personal identifiable information, assets that in a down economy differentiate you from your competitors then I think that malware is still a problem that people recognise they need to solve.
When it comes to the data leakage market as a whole then I think a great deal of it is hype.
You take the data problem and divide it into accidental and malicious then there is a myriad of solutions that position themselves as being able to comprehensively solve the malicious data leakage problem and frankly that’s not true and it doesn’t work.
I have spoken to people who offer solutions that claim to prevent me pulling out my digital camera and taking a photo by adjusting the screen solution. Clearly rubbish. There are fantastic buzzwords like automatic ontological analysis engine but these solutions are simply not practical.
If you look at data leakage, actually it’s not really a technology problem. That’s not to say you cannot do things in technology terms that help and are good but customers trying to deal with that problem would actually be better off looking at their usage policies and how they serve the user.
The majority of data leakage cases we see are actually related to people accidentally exposing data, trying to use webmail tools, or the many people forwarding their e-mail through external services so they can access them from the road.Do we advise customers to invest in DLP products? Broadly speaking no. That said I think there is a portion of data leakage being a serious and sensitive issue that can be solved technically. This is the portion that we are focused on building out in our products set which is the accidental data leakage piece, trying to assist people copying company accounts on to an un-encrypted USB device.
Compliance as well is a serious issue now. Investing in stand alone compliance solutions is really not on the option sheet for most companies now but regulation continue to run strong and in times of economic pressure greater sensitivity is applied to them still.
How is the Sophos IT team internally preparing to handle the crisis? How has the financial downturn affected your budgets?
Our internal IT team have two significant challenges. The first one is the need to innovate, the need to look at new business process tools.
We, like everyone else, want to take advantage of social media, like Facebook and LinkedIn. We want mobility and as much as everyone else taking advantage of these tools means a change in how we think about the IT environment, we consider a grand proportion of our network, our users as being de-parameterised. We seem much of our corporate network rescinding at the same time clearly protecting our corporate assets and protecting our customers means running lockdown areas of networks.
Right now IT is investing heavily in virtualisation technologies, thin client access technologies and mobile technologies so that we can provide our users with the flexibility required.
As for the affect on our budget, I think we are possibly an exception to many organisations in that being an IT service provider we have to continue to invest in that infrastructure to serve our customers. We are not actually cutting budgets, we are still growing them as it is such a core function.
Most IT managers tend to look at security and storage as separate elements still. How is Sophos working to remedy this image and bring the two together in manager mindsets?
I think this is a broader issue of operations infrastructure and security. They are very much still separate functions in most organisations and lots of analysts have talked about this convergence but it still has not really happened. If we ignore the separation of people working on these problems and approach it from a technology perspective and we look at the trends affecting our customers’ IT environments then they need to come together and quickly.
Increasingly as we look at service as a software (SaS), cloud computing, the fact that more of us are accessing data on the road and that storage might be out in the world and not locked down in the server room and providing high availability services to computers in our corporate network we really have to consider that the security model or enforcement points we traditionally had must change.
I like to think of it as security being application and data-centric. I think there are definitely some integration points with storage and security but I would not go far as to say that Sophos is a company that actually wants to go and offer storage services itself. Do you believe there are any specific Middle East trends in security that sets the region apart from others globally?
I think there are a few interesting ones, firstly we are seeing a much higher adoption of virtual desktops in the Middle East then we are seeing in other countries.
This is interesting because if I look at Europe and the Americas then our customers are talking about these things as better solutions for mobility and doing operational control but we are not really seeing large scale adoption.
We have linked that heavily in Europe to the fact that people are not prepared to invest to be able to take advantage of the potential operational improvements of technologies like virtual desktops. What are the biggest challenges facing IT managers today?
I would say aside from the previously discussed financial and political challenges it would be a bit of a role shift.
IT was traditionally focused on providing some core infrastructure services and security that consisted of having an anti-virus agent. It has been increasingly tasked with providing data security which I think is a much more complicated problem. Consider what it takes to write a DLP policy. It involves working with senior management and HR, defining policies, with finance and each of the individual teams to gain acceptance of what is and is not acceptable legitimate behaviour.
IT needs to understand the data of business processes much more to be able to assist with that problem, so I do think there is a bit of a role shift going on and it will continue to shift.
In technology terms I think ‘consumerisation’ is a huge challenge. What I mean by that is the increasing prevalence by end-users to make technology decisions on their own. You can link that to a few other trends like SaS for example. Now where I can go online and adopt applications on my own, access webmail, get limitless storage. It is very easy for me as an end- user to bypass the structure that IT provides and put my data into the cloud. I can provide my own infrastructure if I am not happy. I am seeing lots of customers struggling with a user base that wants to take advantage of these tools and IT struggling to stop them.I think that IT managers generally are realising that they have to embrace these changes and these tools and provide their own infrastructure so that end-users get the flexibility they require and find a way of developing effective security with it.
A great deal of strategic outsourcing, we are finding that companies are taking operating systems, applications, build environment and hardware production and outsourcing that to vendors to take advantage of those services much more. There is also more focus on application delivery and business process which is very sensible.
What new solutions and innovations can we expect from Sophos in 2009?
So we have an exciting major upcoming release where we will be looking at significantly increasing our capabilities in the area of data leakage prevention. Helping customers’ deal with the portion of DLP that we think is valid and we will be including that for our customers as part of end-point security. So they are not going to have to go out there and spend more money on an additional product, it is all integrated into our same console.
There is also the increased mobile usage and the loss of the managed endpoint together with the concept that users will be accessing data and applications from anywhere. I think that we are going to see very quick adoption of that model and I think that there is a risk that as IT managers we are not going to catch up.
We have completed our acquisition of Utimaco so we are looking at integration of encryption technologies and packaging those products together so that customer can more easily take advantage of those solutions.
There is a great deal of focus for us in innovating in the threat protection area. That has always been strength for us and is the core of what we as Sophos do as a company.
We are making some heavy investments in that area to get ahead of the malware authors again. We are finding that a lot of customers are really struggling with the clean up of the newest more prolific threats and we are running some serious campaigns to get in there and help them clean up.
What percentage of the overall IT budget do you recommend an IT manager allocate towards security?
This is a very challenging one and if you take it in the context that this is an average then I think historically when I have spoken to people then security has been as much 30-35% of the IT budget which is a significant portion.
I would also say that it tends to be the largest percentage wise of all the IT sectors. Generally when I talk to customers and look at how they are spending and what they are doing in security I find that there are significant opportunities to reduce that budget and do a lot more.
My guidance would probably be around 20% if you are broadly covering mobile devices, storage, data leakage, compliance and anti-virus. I think that there is a significant opportunity for many companies to consolidate their vendor relationships and consolidate their spending.
What is the biggest threat to enterprise security today? How can it be addressed?
The biggest threat and the piece most enterprises are struggling with the most is this latest and greatest malware. It contains command and control capabilities, intelligent means to find confidential data. I have seen some malware which exhibits rules for finding confidential data that is comparable to some DLP products. We are really talking about intelligent software produced by organised criminals and I think this is the most widespread problem for enterprises.
Frankly, I suggest they address it by taking advantage of an endpoint security product that uses HIPS technology, behaviour technology that has a modern outlook on malware protection.
Outside of the malware domain I think the biggest challenge is accidental data loss, and not in the sense of the actual loss but I think it is the risk of actually investing in that problem domain in a nonsensical fashion because of hype.
I would really encourage people looking at the data leakage problem to step back and look at the problem they are trying to solve, put their business hat on and employ a mixture of risk assessment and technology assessment. We are seeing lots of people rushing out there and buying technology but by recognising that it is broadly a policy issue will save a lot of time and money.
What do you consider to be the biggest threats facing enterprise data safety in the near future?
Broadly from a business scale I would say that the biggest problem at the moment is driven by ‘consumerisation’, the change of the operating environment.
There is also the increased mobile usage and the loss of the managed endpoint together with the concept that users will be accessing data and applications from anywhere. I think that we are going to see very quick adoption of that model and I think that there is a risk that as IT managers that we are not going to catch up.
Within the threat domain and malware I think we can expect an increased velocity of the threats still and I think that as netbooks, iPhones, mobile devices for accessing data become more popular and increasingly contain the data that these organised criminals are attempting to extort I expect that we can see a proliferation of the threat beyond the Windows desktop.For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.