CHICAGO -- How can you tell if your company has reasonable security?
By spending lots of money on it? By analyzing the risks your business faces from threats? Or, by buying top-of-the-line equipment?
Security is definitely a concern for companies. Security outpaced Web development software, enterprise portal projects and customer relationship management in a recent Gartner survey of CIOs' top 10 technology priorities this year. In another survey, Gartner found security spending, as a percentage of the IT budget, is on the rise from about 2.6% in 2000 to 4.1% this year.
However, there is no correlation between security spending and the level of security, said Vic Wheatman, vice president and research area director at Gartner during his keynote address Wednesday at Gartner's Information Security Conference 2002. So companies will need to consider other factors.
Spending or standards?
Companies need to examine everything from the threats facing their businesses to whether they are embracing good standards.
Purchasing state-of-the-art technology is one way to gauge your level of security, Wheatman said. Determining the likelihood of a security failure and the results of such is also important. Obviously, a breach that would be a minor nuisance would require fewer resources than something that could should the business down, Wheatman said.
A very important way to determine security preparedness is looking at what standards are embraced. For example, Secured Socket Layer (SSL) is a "beautiful" standard, Wheatman said. Companies should be using it right now. Internet Protocol version 6 (IPv6) is good, but not quite ready for prime time. Most companies should consider adopting it in 2005 or later, Wheatman said.
Wired Equivalent Privacy (WEP) protocol, however, is one standard that is fundamentally flawed and shouldn't be used. "It's not going to happen," Wheatman said.
However, sound security is more than just protecting a company's assets. There are also possible "downstream liability" issues for companies who don't secure their servers and they are used in a denial-of-service attack on another company. "Being a good Net citizen is essential," Wheatman said.
The outsourcing option
Some companies are considering getting out of the security game by outsourcing it, Wheatman said. "Security can be hard and complicated," he said.
Security is far more than products and software. One needs to tweak firewall rules over time to make sure they are effective. Sometimes staff turn intrusion detection systems off because they are sick of hearing them going off because they are not properly tuned. Antivirus software gets shut off or goes not updated.
Some companies don't have the people to handle all security duties. Other projects such as e-business may be a bigger priority. Often companies don't have an official in specifically in charge of security, Wheatman said.
However, outsourcing security isn't a panacea. Outsourcers can't really handle some things such as firewall changes. Legacy applications can also be a challenge. Additionally, personnel could lose jobs as a result, Wheatman said.
Beyond technical security, there are physical security matters to consider. Wheatman offers a little test for such security. What if you see someone you don't know around your office? Do you choose to get involved? If you decide to, do you know whom to tell? In other words, does your company have policies in place to handle such situations?