REDMOND, Wa. – Is it possible for organizations to find the perfect balance of effective security but at less cost? It is a daunting task but between transforming people, processes, and technology, organizations should be demanding of IT vendors to provide more secure products, services and SaaS (Software-as-a-Service).

When combined, these forces would lower the overall cost of information security, while enabling a firm to improve its’ overall security profile.

Consolidation and convergence of security functions onto security platforms would have the greatest effect in terms of overall cost reduction over time. Much of this is made possible through ongoing improvements in processing power (Moore’s Law). This shifts the balance of what we can do from a security perspective and makes possible things that were simply not feasible even five years ago (such as deep packet inspection on desktops).

Microsoft and other operating system (OS) providers will have an impact as well, as parts of security functionality are absorbed into the base OS and others, such as identity services, become a part of application platforms like Java Platform Enterprise Edition (Java EE) and .NET.

When considering a security vendor, enterprise requests for proposals (RFPs) should at least ask vendors to detail how they test their products for vulnerabilities. Common criteria certification of software is no panacea: Many products are certified, and vulnerabilities are found weeks or years later. However, certification ensures that outside testing companies have inspected the code and validated the advertised security features.

Compliance and reporting concerns have spurred recent interest in managed security services, as vendors start to roll out additional reporting capabilities through their portals.

The resources, needed to monitor and manage intrusion detection systems, are driving the managed security service market. However, the recent lack of worm attacks has allowed other factors to increase in importance. Vulnerability management activities as well as analysis and reporting, are increasingly mentioned as drivers for managed security services among Gartner clients. Head count pressure, as part of ongoing operations’ cost-decrease efforts, is driving more security outsourcing as well.

Inhibitors to security outsourcing mainly arise from the belief that security is too sensitive to outsource, or where existing staff demands are not high enough to require dedicated monitoring personnel across multiple shifts.

Regardless, the earlier an Internet attack is detected and stopped, the better. Many, such as denial-of-service attacks and most Internet worms (such as Code Red), could be stopped where they enter the Internet at a cost. For such “in-the-cloud” protection to be widely used, people at the various tiers of service must cooperate and interoperate, and believe that there is profit to be made in providing higher levels of security.

ISPs and Internet data center (IDC) hosting providers could apply such protection across their customers with great economies of scale, but they haven’t seen market demand justify the investment. Service providers that offer in-the-cloud protection do so at rates that are 10 to 30 percent lower than their customer-premises-equipment-based offerings. Enterprises should plan for increased ISP costs and IDC hosting costs and then negotiate denial-of-service and malicious content protection into these contracts.

Moreover, ongoing improvements in process discipline in the IT organization will be the second-largest contributor to spending less and being more secure. As security threats become more mature, these activities should be turned over to IT operations. This requires that the IS team be relieved of the more mundane threat protection tasks.

Despite a company’s goals to change the people and processes as a means of spending less and becoming more secure, what Gartner typically sees are different initiatives across different business units, that increases complexity and overlaps in functionality.

The market for desktop security is moving from one of separate point products to a converged “personal intrusion prevention” product, which includes anti-virus, anti-spyware, personal firewall and behavior-blocking capabilities.

In 2005 and 2006, there was a convergence of anti-virus and anti-spyware functionality. Although larger anti-virus vendors are slow to understand the implications of anti-spyware, there’s no need to have two point solutions sifting through your desktop and server machines to locate and remove malicious code.

Moore’s Law has driven the IT industry to reduce the cost of products or to increase functionality if costs stay the same. The security industry has tried to ignore Moore’s Law, holding prices steady for old functionality and trying to increase prices to add new capabilities (such as anti-spyware or intrusion prevention).

Wireless e-mail software vendors continuously extend their support for security functions. RIM and Good offer extensive support on all levels. From a security perspective, RIM is recognized as the most secure solution available.

However, BlackBerry devices are closed end-to-end solutions, and this approach is increasingly mismatched with enterprises’ needs to deploy mobility solutions enterprise-wide.

Good offers an extensive set of features for device security and remote IT management, including control and encryption on peripheral, as well as black and white lists of applications. For Microsoft, security and device management are weak and require third-party complementary tools. Nokia has security and management features, but is not available on a range of different platforms. Sybase’s platform offers over-the-air updates with strong security support in a long-lived product, but lacks a mobile firewall.

As for Vista, it became available on new machines in 4Q06. Many of the features have additional considerations that must be factored into a decision to migrate to Vista. For example, the ugly issue of metadata management gets worse, not better, because the ability to tag documents at the OS level with metadata is exposed and leveraged by Vista’s built-in search.

User Account Control (UAC) is an important step forward with Vista; running users in standard mode would reduce the surface area for attacks. However, standard users won’t be able to install most software, including extensions to IE, and UAC also doesn’t protect against single programs that may be downloaded. IE 7 is a positive step forward and is even more powerful on Vista using UAC.

Vista’s firewall is managed via group policy objects (GPOs) and won’t be managed by the initial release of Microsoft Forefront Client Security. It lacks the DPI capabilities of leading-edge firewall products.

Meanwhile, Vista does let anyone developing Windows Services define the resources the service should use in terms of registry, file system and network access.

BitLocker is an important capability, especially on mobile devices (to protect the lost or stolen laptop), but BitLocker is available only under Software Assurance. Planning for BitLocker must include testing your hardware for Trusted Platform Module (TPM) support and planning for key management and recovery, as well as user-level encryption on shared machines.

Windows Defender (the bundled anti-spyware protection product) is a good thing. But the Windows Security Center and Kernel Patch Protection has already run into trouble with the EC. Anti-spyware signature feeds are provided at no cost to Windows Genuine Advantage (WGA) users. However, AV capabilities, signatures and manageability are provided only if you purchase Forefront Client Security.

As for open source, even if you don’t want to consider open source secu