Despite well-publicized security problems faced by IT giants like Microsoft Corp., not all companies heed the call for tighter measures. Nearly half the 174 respondents in a recent searchSecurity.com online survey said they have an informal security policy or none at all, and almost a third said they lack a security budget.
Some analysts and respondents said they were not surprised by the survey results. "A lot of companies have a [security] policy that's ignored or not understood," said David Thompson, a research analyst at Meta Group Inc. in Stamford, Conn. Policies "tend to gather dust on the shelf." Often the policy is unclear, or it's too inflexible to take business needs into account, he added.
A successful policy depends on how you approach it, says Don Baldwin, a survey respondent. Baldwin is Managing Director of Auldenfire Sweden, a consultancy in Stockholm. Baldwin works as a software architect for clients and deals hands-on with security issues. "Our company and all of our clients have formally defined security policies," he said. Typically, Baldwin said, these policies are defined by a framework that describes how security will be handled for the enterprise. Each business unit, in turn, develops a security plan to meet specific operational requirements, and their plans are based on the framework.
Counse Broders, a senior analyst for Current Analysis Inc., in Sterling, Va., said that companies often bypass security policies and rely too much on their firewalls. "They feel that 'we've got the firewalls in place, and that's adequate,'" Broders said. But companies need more to be able to deal with today's increasingly sophisticated threats. "Firewalls worked in the past, but everything evolves."
On the issue of security-dedicated budgeting, "there's one answer from the mouth and another from the pocketbook," said Frank Prince, a senior analyst at Forrester Research Inc. in Cambridge, Mass. "There has (been), and continues to be, a disconnect between business management's perspective and the security manager's perspective about what is important."
People at all levels say they're concerned about security, Prince explained, but they don't spend very much on security in general. In most American companies, three-10ths of one percent of top-line revenue is spent on information security, according to Forrester research, which also proves that most companies spend more on coffee than they do on security, he said.
The reason: "You don't spend a buck to protect a dime," Prince said. If credit-card fraud is going to cost a company $200,000 annually for the next four years, it doesn't make sense to spend $1.5 million on a system to combat it.
Another reason for the budget shortfall is that many companies probably cover IT security with other budgets, said survey respondent, Chuck Lewis, manager of information technology at Lee Supply Corp. in Indianapolis, Ind. Lee Supply is a wholesale distributor of plumbing and heating supplies.
Whatever the reason, some users suggest it is a dangerous strategy. "I think a company is crazy not to have some sort of budget in place for security needs," said Dale Jackaman, survey respondent and director of the information systems group at BC Research Inc. in Vancouver, British Columbia. BC Research provides laboratory analysis and testing, field work and other related scientific services.
"Even if they have nothing to protect, the ability for a hacker to use that company as a base to attack other entities could create a major liability issue," Jackaman said. "And the costs for removing a hacker once he's in your system could be onerous, to say the least."
The other side of this question, though, is interesting. "Just because a company has a security budget, it's dangerous to assume that it means they have adequate security in place," said Auldenfire's Baldwin. "Most companies do not. Most companies do not adequately invest in training, and many fall short of keeping informed and up to date on the latest security issues." A lot of the companies he works for as a consultant, he said, do not have the latest patches or service packs installed on their servers.
Wanted: public forums
That said, however, it's clear that IT pros are looking for reliable security information. An overwhelming number of respondents -- almost 90% -- said they believe that IT security pros should share information about their problems through a public forum.
"In general, this is a good idea," says BC Research's Jackaman, "and I pick up much by belonging to e-mail lists, conferring with my peers via various modes, and the like." The key, users and analysts agree, is to have a forum that's available in a public place but that shields the identity of individuals who contribute.
That does pose dangers, however. "It's kind of like having a CNN News report during the war -- you don't want the enemy seeing what you know about them," said Current Analysis' Broders.
Not everyone believes this is possible. "Everyone says they want to do that, but they don't do it themselves," says Meta Group's Thompson. "This would create a great risk" to the individual companies involved.
Lee Supply's Lewis says, "I don't know if there is an easy answer. There are plenty of us out here that do exchange this information with each other because it is crucial to what we do. And if there was any way to do a legitimate study, I'm sure the 'bad guys' know this information anyway."
Ambrosio is a freelance writer in Marlborough, Ma. Contact her at firstname.lastname@example.org.
For more survey results and commentary, click here.