Federal regulations are forcing IT security staffers to change their routines, leaving them with less time to install and maintain security hardware and software. But the regulations, which can call for stringent electronic record-keeping and privacy safeguards, are also compensating for the harm they cause. By compelling IT departments to tighten their user policies, and strengthen their data storage and damage recovery programs, HIPAA, Sarbanes-Oxley and the Gramm-Leach-Bliley Act have helped make networks more secure.
That's one of the findings of a survey of enterprise executives -- including IT and security professionals -- released today by the IT security management company RedSiren Inc., based in Pittsburgh.
"We are seeing a lot of product technology hype these days -- automated patch management, incident response technology and intrusion prevention systems," said Nick Brigman, RedSiren's vice president of product strategy. "But this survey reinforces the fact that every security plan has to be a blend of people, process and technology. It's a three-legged stool."
Sixty-two percent of the 300 respondents in the RedSiren survey said the time they spend complying with the requirements of the federal laws is coming out of what they would spend installing and upgrading security products, and performing other duties meant to protect their networks. Roughly 13% said the regulations have caused them to either divert or delay new IT security projects.
Lawyers, corporate leaders and even board members all have a role to play in the new security regime, said an IT security and privacy lawyer who read the RedSiren survey.
"The new rules are making [data] security more than an IT issue," said Thomas Smedinghoff, an attorney at the Chicago-based law firm Baker & McKenzie LLP. "This survey shows a recognition that IT is an integral part of the organization's operations, and a part of the corporate mainstream."
RedSiren sent to 15,000 individuals in November. Four percent of the 300 who responded worked in the finance departments of their organizations. Another 9% worked in risk management.
The RedSiren survey also found that 90% of IT security budgets will stay the same or grow in 2005, and that educating workers about IT security policies were among companies' chief concerns.