Adapting the security game plan

Controlled use of the internet and filtering out unwanted content remain major concerns for business. But interest in them is based largely on specific threats, most notably from porn and spam.

Computing spoke to Steve Purdham, president and chief executive of SurfControl, about today's online dangers and how to cope with a changing market beyond them.

Security companies largely sell on the current fear factor. So how can you be sure of a future when that fear recedes?
It's a tricky balance. That's why you need strategies. There's no point trying to sell all the functionalities of the things we do to someone who just wants to put out the spam fire or the porn fire.

So a lot of our marketing is just designed to push the hot buttons of an organisation's needs at that moment.

The porn blockers of 1996 and 1997 didn't survive the move to rich content filtering. The same will be true now for the massive number of spam blockers.

They are finding that Microsoft has already introduced tools in Hotmail which are 80 to 90 per cent effective.

But security threats come in multiple forms. Blocking is not really what SurfControl or the market is about. Unfortunately, it's like a Russian doll - people only really see the top layer.

What's the next layer of the Russian doll?
It's about understanding content in the right context. Just blocking isn't enough.

What you do with content depends on where you are and what your goals are. At lunchtime you don't mind people looking at sports or using eBay, but after lunch you want to control it more. The software can't have preset ideas; it must provide a mechanism, not define the policy.

We have to make sure that technology is agnostic to the content type. You can't say what the next factor is going to be. And you can't even have a single global message.

Porn became an issue in the US two years after it was the big issue in the UK. And when the US moved on to the likes of etrade and eBay, the UK was still worried about porn.

So, at a marketing level you have to work on the current fear, but at a strategic level, you have to push the 'spam and beyond' or the 'porn and beyond' button. Nonetheless, porn and spam were obvious creators of problems and fear.

Is there a similar threat now?
The threat today comes in multiple layers. First, there is a technology change in the way information is delivered.

Then there is a shift in dynamics. Within the next five years, 90 per cent of people might access the net through a non-PC device. That will have a big effect.

Then there is the issue of content type. For public companies, the biggest spam problem is about customer confidentiality and compliance.

Then you go to many private companies which don't give a damn about compliance, and confidentiality is probably of lower grade concern. You will have to decide what your issue is.

In the changed market which you suggest, can selling remain so reactive and negative?

We started life saying: "this is about content", and we came up with something we called positive filtering.

You want the choice. Positive filtering is being able to choose what to block, and when, rather than just blocking everything. But positive messages are more difficult to sell than negative ones.

At a development level, we've always kept in mind that we produce positive filters which don't have an emphasis on what is good or bad, because the definition of what is good and what is bad is contextual.

Marketplace dynamics change, and when you're looking at content, you're going into the minutiae of whether something is spam, a joke, a virus, or company confidential. The definition is different for each organisation and situation.

There's much talk about the death of privacy in preventing information collection. Where does SurfControl fit in?
Privacy is a state of mind. It should never be the technology that's blamed.

Nobody asks questions about the security camera in reception. And if you look at the CCTV software around now that can track an individual from one location to another, you just accept that. But put the same camera in the ladies' loos and it's an invasion.

The only difference is the policy - what you deem to be acceptable and what you don't.

Take mobile phones, for example. I can take a phone and talk to T-Mobile or Orange, and they will tell me they are putting lots of fancy security capabilities into the phone.

But if I put in an 802.11b card and go into McDonald's, then I can bypass the lot because it doesn't control that connection.

The big issue is how you can have consistent policies across converged technologies because they fight against each other.

Isn't one of the questions for this dynamic world how to pay for services such as yours?
It's a challenge for the whole industry. In June 1998, when SurfControl first went public, the pricing model we wanted to implement was a micro-payment type: the more decisions we made on your behalf, the more you would pay us.

That particular model is still very valid. Unfortunately, though, the departments of the organisations we were dealing with hadn't got into the mindset that made it possible.

Over time, people have started to say: "Maybe that's a better way - maybe we should be more subscription-based than licence-based."

When I came into computing in the 70s, you never bought software. You bought hardware and rented software. So we are coming full circle.

You have to be very careful introducing new models because you are always in a race, but it's a marathon consisting of thousands of 100m races.

In a 100m race, you only need to be one-thousandth of a metre ahead of the person behind you. If you're three, four or five metres ahead, you are losing energy.

We may be dynamic at a conceptual level, but we have to wait until ideas become the acceptable norm.

Who is going to make the IT decisions on security in an environment where outsourcing is so prevalent?
Even in an age of outsourcing, you still need someone inside the organisation who makes decisions about the business requirement.

The outsourcer cannot decide on the business criteria. The process has changed, and that makes it difficult for vendors.

In a pure outsourcing model, the outsourcer holds the key to the technology but the business process is held by the organisation.

It all comes back to the idea of boundaries. They will still exist but they will be blurred. IT decisions will be made but you won't really care where they are made any more.

You outsource to save money but you might lose control. So when you want control back, you bring the work back in. And that could change again. It's a cyclical thing.

See also:

Security

Security has moved from the IT department and into the boardroom  22 Apr 2004

Security

The latest wave of cyber-crimes and acts of vandalism have demonstrated once again that many systems are still vulnerable to attack.  15 Apr 2004

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!