This article can also be found in the Premium Editorial Download "Information Security magazine: Negative exposure: Web scanners reveal unknown holes."
Download it now to read this article plus other related content.
An individual's opinion of proposed regulations is motivated by several hard-to-quantify factors. However, two groups--those who either strongly support or strongly oppose security laws--exhibit clear-cut organizational tendencies.
Security professionals who feel infosecurity laws will make security at their organization "much better" exhibit the following characteristics:
- High number of users.
- High ratio of users to full-time security staff.
- Low number of reported incidents.
These characteristics exemplify an underfunded and overwhelmed security department. Security staff is feeling pinched on all sides. They're responsible for more users than their counterparts at many other companies, and the reason they report fewer incidents is because they don't have adequate resources or time to monitor and detect them.
They are searching for answers beyond what they feel their organization is willing or able to provide. In short, they support the prospect of stringent government security regulations because anything's better than the status quo.
They feel that getting help from the government can only help them, even if it's the lesser of many evils.
On the other hand, security professionals who strongly oppose infosecurity laws work at organizations with these characteristics:
- Small organization with a low number of users.
- Low ratio of users to full-time security staff.
- High number of reported incidents.
- Well-funded security departments.
Survey statistics show that smaller organizations spend more money per user and per machine for security than larger organizations. They also spend a higher percentage of their IT budgets on security than do larger organizations.
These organizations report the highest number of security incidents because they have the resources and manpower to monitor their networks and servers. In short, they don't feel they need the government's help, because they're doing just fine on their own. While security is never easy, they feel they've got adequate budget and headcount to address the challenges without government interference. For them, further regulations will only divert attention and resources away from current security efforts.
About the author:
Andrew Briney is editor-in-chief of Information Security.
This was first published in January 2003