"Exploits are so pervasive that keeping systems current is more important than ever. It's a challenge because there's always the balance of needing to minimize system downtime," Stanford says. "There's also a lack of real expertise in vulnerability management. It's hard to find and hire staff who has the training and experience to assess systems for secu-rity control effectiveness and manage mitigation efforts."

				What's On Tap For 2006??

Threat correlation remains a challenge. Organizations struggle trying to normalize and correlate threat and vulnerability data in order to prioritize risk and remediation. Most processes remain manual, more often than not keeping security managers in the dark as to their exposures.

"When a vulnerability alert comes out, I get information from the lists and newsletters. If it pertains to our organization, I submit call tickets for research," says Justin Francis, a security administrator for a national entertainment retail chain. "The process is there, but it's manual."

Tying it all back to risk, respondents want to have better automation around reporting mechanisms in order to placate not only management, but auditors. Many rely on homegrown reporting applications that produce outputs in spreadsheets and PDFs, or via Crystal Reports.

"Giving management the warm and fuzzies is always important," Kramer says. "Sometimes, varying communications with a common message is needed. You can't tell whether your audience is tactile, visual, or auditory in receptiveness, so you just have to keep trying."

< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >