I seem to have spent the last couple of weeks writing about where the IT security market in Europe is, where it's going, how it's going to get there, and why. The problem is, no-one else knows this yet!
The sad fact of the matter is that whilst in the US they have bills like SB1386, and standards like SOX, HIPAA, GLBA, etc. we in Europe have very few with any real teeth. "What about PCI?" I hear you cry, well, maybe one or two of you. Sorry to break the news to you, but VISA and Mastercard still don't have this sewn up properly in the UK or Europe.
There is a team of 8 people working inside VISA for the WHOLE of Europe on PCI, and Mastercard has just 2. That's 10 people evangelising, directing and policing a population of thousands of vendors. [The UK alone is a nation of shopkeepers, even Napoleon knew that and he was French.]
Security in the US is incredible. It blows my mind. I've worked both for and with US companies my entire career, starting with a fledgling nCipher, then Ingrian, more recently Vormetric, and all the device manufacturers you care to name, Juniper, Bluecoat, F5 to name the better known ones.
All of these guys are doing what SHOULD be done in networks. Devices make sense, good security makes sense, but only if you're going to do it properly. It winds me up to see the CEOs and CFOs spending £40k on a new firewall 'solution' (and if I hear that phrase again I'm going to combust), and then spend nothing on decent user security, no data protection and leaving their internal networks completely unguarded. In the next few days I will be explaining myself fully, but for now, you know who you are...