Ok, well, perhaps I am being a bit melodramatic—there really isnt much muck, or mire, for that matter, in IT media—but certainly this whole vulnerability issue has created a great deal of press.
Security has been identified as a top three issue in virtually every CIO survey I have seen for as long as I can remember, yet I would bet huge money that the average CIO, or user, for that matter, couldnt define the difference between a worm and a virus.
If they were asked to sign off on the security of their IT systems in the same manner in which CEOs must be held accountable for their companies financial reporting, I imagine that the CIO role would truly be a difficult job to fill.
Admittedly, my perspective on the world of security software, hardware and process is limited by my focus and experience in the database market. No doubt if my experience were as a network administrator or application developer it might be quite different.
The reality is that the security space is a very complex and fragmented market. I see dozens of companies, usually small boutique firms, in the database space alone, each trying to carve out a niche. Be it encryption or policy management, intrusion detection or auditing, it can all be very overwhelming.
So how do we reconcile the facts that security is always mentioned as a top three concern, yet there remains such a fragmented market for enterprise infrastructure security software? It seems illogical, somehow; I mean, the laws of economics would seem to be suspended to some extent in this market.
Typically markets with such strong demand tend to consolidate into a few players that may take slightly different approaches but at least have a product set that addresses a comprehensive solution.
Sure, we have Symantec and McAfee as well-known, large vendors, but if what they offer is so comprehensive, why do companies like Protegrity, IPLocks, Ingrian and dozens more exist?
Perhaps the complexity of it all also contributes to what some may describe as IT apathy toward the news of yet another vulnerability or a patch process that doesnt in fact patch anything.
Most Oracle DBAs have tended to shrug off most of the Oracle-related flaws that have been reported over the past six to eight months, believing their databases are sufficiently protected already.
It seems as if many administrators are relying on the ignorance factor: If I cant understand everything it takes to break into our system, then no one on the outside could either.
Sometimes I just wish a couple of large vendors would simply buy up all the small security vendors and package them together so I could make some sense out of it.
I mean, what was Symantec doing buying a storage software vendor, when it could have been helping society by making this whole security issue easier to deal with by reducing the number of choices a company has to make to secure its system?
Of course, as part of my contract, I would want them to sign off on the security of my IT infrastructure. You know, kind of like H&R Block. Until that day happens, however, I have to trust in the reality that ignorance is bliss. The less I know about my infrastructures vulnerability, the more confidence Ill have. After all, knowledge may be power, but it also can make it difficult to sleep at night.
Charles Garry is an independent industry analyst based in Simsbury, Conn. He is a former vice president with META Groups Technology Research Services.