Cisco: It's Time For a Human Firewall

By Sean Michael Kerner

March 12, 2008

New research shows that IT plans on spending more on IT. Cisco argues that it shouldn't just go to technology.

When it comes to security, technology isn't necessary the only solution -- especially when the people using the technology are part of the security problem.

That's the key message coming from networking giant Cisco (NYSE:CSCO). Cisco's assertion comes as it reveals that security spending could well be on the rise in 2008.

According to results from a Cisco sponsored study, 62 percent of global IT decision makers plan to increase security spending within the next year, with 27 percent planning to spend by more than 10 percent.

In the U.S., the numbers are a little lower, with 53 percent reporting they expect to spend more on security and 27 percent reporting they would be spending more than 10 percent.

Research firm InsightExpress conducted the study and involved more than 2,000 IT professionals in 10 countries (United States, United Kingdom, France, Germany, Italy, Japan, China, India, Australia, and Brazil).

The spending study is the second part of a Cisco study on the habits of remote workers. That survey showed that, while workers may feel safe, their activities online actually can put their environment at risk.

Cisco thinks some of IT's security spend should be addressing human behavior.

"One of the things I see people spending money on that they haven't before is they realize they need to create the 'Human Firewall,'" Patrick Gray, senior security strategist at Cisco, told InternetNews.com. "That's the person who is sitting in an IT environment that is the last line of defense, that person with a mouse in their hand."

So what does the world's biggest networking vendor think that IT should do about the human problem? For one, Cisco's executives believe that the solution doesn't rest entirely with technology.

Cisco's Chief Security Officer John Stewart argued on a Webcast discussing the study results that IT organizations need to teach IT users how to protect themselves in ways that technology alone cannot. Stewart noted that users still click on e-mail from unknown sources and users still hop onto unknown Wi-Fi access points.

The solution is more education that actually informs users about the risks with such behavior online.

"A lot of traditional security awareness programs have been compliance orientated because they had some kind of breach," Mia Winter, senior awareness program manager at Cisco, told InternetNews.com.

Winter commented that the right approach is to teach people that they are the first line of defense and their actions can make a big difference in the overall security of an enterprise.

While a potential increased security spend by IT professionals is a good thing for a vendor like Cisco, there isn't necessarily a direct correlation between more money spent and more security.

"Spending more money is not necessarily the best thing and you can't just throw money at the problem we have to be smart," Gray said. "You have to look at the risks out there and the risk is to the human element. The bad guys are using polymorphic code and all sort of bad malware that beats antivirus but it's the behaviors of users that can make a difference. We need to make sure we're throwing money at the solution to the problem and not just the box of the day."

Article courtesy of InternetNews.com.

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.