More worms will try to drill holes in the company network. More work will be needed to meet federal regulations. More money is there for the challenge, but probably still not enough.
That's how 85 chief security officers summed up the year ahead in a survey conducted at last week's CSO Interchange forum in New York.
"Everyone says their security budget has increased, that security is now taken seriously and seen as a cost of doing business. Enterprises want their CSOs to become risk managers," said Philippe Courtot, CEO of security firm Qualys in Redwood Shores, Calif. and co-founder of the CSO Interchange. "Concerns are the same across a spectrum of industries. Regulation hits everybody. We all face the same threats from worms and viruses. Most CSOs see their jobs getting harder, and Sarbanes-Oxley is a big driver."
Of those surveyed, Courtot said 26% were from the financial services sector, 17% from the tech sector and the rest from a diverse range of industries. No matter the field, he said, the majority shares the same concerns for 2005. While 61% said their security budgets increased over the past year, 84% believe their security programs are still underfunded. Although 69% were concerned about online fraud at their organizations, less than half feel their organizations are doing everything they can to prevent it and 54% have not rolled out additional defenses to avoid phishing scams.
Of those surveyed:
- 58% rated worms, viruses, Trojan horses
- and regulatory compliance as their top security concerns;
- 62% believe they do not get sufficient early warning for major cyberattacks;
- 69% said their jobs have become more difficult over the past year;
- 80% said cyberattacks had a bottom-line financial impact on their organizations;
- 81% said security was a part of their company's Sarbanes-Oxley reporting; and
- 82% of their top executives worry about data privacy.
If multiple presentations and follow-up interviews during last week's Infosecurity New York conference are any indication, these are universal concerns.
"There's a lot of pressure on security pros because of regulation and the higher-ups not wanting to go to jail," said Warren Axelrod, director of Jersey City, N.J.-based Pershing LLC.
"There aren't always workarounds and firewalls may not always work -- particularly against a blended threat," said Jaime Chanaga, CISO of Geisinger Health in Danville, Pa. "We need to put security in terms that people outside IT can understand and get their support. Issues such as cyberattacks, online fraud and zero-day exploits can have billion-dollar impacts and deserve the full attention of the organization."
Dave Cullinane, CISO of Washington Mutual and president of ISSA, expressed frustration over recently enacted federal regulations. "There are too many frameworks to work with because of regulation," he said. "It's not right that someone can say 'Hocus pocus' and make a law we have to implement."
One important concern the survey didn't capture is the challenge of authentication, Courtot said. "Respondents weren't really asked about it, but at the roundtable, there was discussion on how you authenticate users," he said. "It's one of the big security challenges ahead."
Shawna McAlearney contributed to this report.