- Andrew Briney and Frank Prince
"There is no there there."
Gertrude Stein's famous quip about Oakland, Calif., also characterizes traditional executive attitudes toward infosecurity. Managers know it's there; they think it's necessary; and they'll spend money on it, since the auditors and regulators tell them to. But corporate executives have no idea what the security guys really do.
Exacerbating this perception is infosecurity's immaturity as a product/service industry and, more importantly, as a profession. In the IT world, mature practices are characterized by standardized operations, metrics-based decision-making and proactive measures in the face of change. Historically, infosecurity practitioners have adopted few, if any, of these practices.
But some of that is changing, according to recent surveys conducted by Information Security and SearchSecurity, the magazine's sister site. Taken together, the surveys offer an in-depth look at the practices of nearly 4,000 security professionals, including statistics that point to a more disciplined, mature approach to security operations.
For instance, the surveys reveal that IT security managers are becoming more aggressive about evaluating emerging threats and aligning their security strategies against identified risks; that organizations of all stripes and sizes have standardized on a common set of data defense technologies; and that most security pros are ahead of the regulatory curve, implementing security changes in a proactive manner before the government forces them to.
Greater security awareness has its rewards, too. Organizations are spending more on security, according to the surveys, and executive management and business unit managers are embracing security's role in operations and project decision-making.
Information security still has a long way to go before it's institutionalized into every organization's business process and culture. But the surveys show that some of the roadblocks are disappearing, and that last year's conventional wisdom has become this year's security myths.
For security, finally, there's some "there there."
Everybody talks about the importance of security, but nobody puts their money where their mouth is.
REALITY: Security budgets are growing, particularly in larger companies.
What's your number one obstacle to effective security? Betcha said lack of budget. Death, taxes and a lack of security budget are the three universal constants in this business.
"If we had the budget, we might be able to do things we aren't now doing," says one survey respondent, a CIO at a state government agency. "Knowledge isn't enough; resources are important."
There's a big difference between what you want and what you need to secure your enterprise. Unless you work for the NSA, there will never be enough money to fund what you want. However, the Information Security Annual Survey shows that in coming months you may have better success getting the funding you need.
After a recession-induced drop last winter, security budgets steadily rebounded in Q2 and Q3 2003, accounting for more than 13 percent of overall IT spending (see Figure 1). Even if general IT spending remains flat, as some reports indicate, security budgets should increase. Budgets in large and very large organizations increased the fastest, as companies funded long-delayed upgrades and, in some cases, new infrastructure solutions.
The uptick in security spending mirrors that of early 2000. In the second half of 1999, organizations routinely froze security budgets to focus on Y2K remediation. In January 2000, with Y2K behind them, many organizations restored funding for 1999's held-over projects and allocated new budget for 2000's security initiatives. The survey suggests that a similar "double-up" phenomenon may be under way now.
But don't start celebrating just yet. While the purse strings may be slowly loosening, rigorous financial accountability and intense scrutiny on the bottom line will continue to be the rule for IT security, even in organizations that "get it." And for many companies, security still doesn't register on the radar screen. Since the 9/11 terrorist attacks, the slight majority of organizations (51 percent) have increased their security spending (see Figure 2), according to the SearchSecurity users survey. But another third have flat budgets, and 5 percent have experienced an overall budget cut. Thirteen percent don't know which direction security spending is headed.
"Security budget is a difficult question, since such items are buried into other projects or operations," comments a telecom data/network engineer.
Most security is reactive. Organizations don't implement security measures until it's too late.
REALITY: Organizations are increasingly proactive about risk management and mitigation.
The annals of infosecurity are filled with stories of "closing the barn door after the horse has escaped." Oft-cited examples include Citibank, which spent millions shoring up IT security after hackers breached a customer database in 1995; and the Department of Energy, which opened the security checkbook (for both physical and IT security) following the Wen Ho Lee fiasco.
Old habits die hard, and some companies still won't pay attention to (or spend money on) security until they've been hacked. According to the Information Security Annual Survey, 13 percent of surveyed organizations "mostly" or "always" wait to implement security changes until after they've been compromised (see Figure 3).
However, the majority of corporations and government agencies have adopted a proactive approach to security, according to the survey. Eighty-four percent say they implement security changes as soon as a risk is identified. For example, these organizations begin testing a Microsoft patch or workaround as soon as they catch wind of a serious vulnerability. What's more, nearly 78 percent of respondents act when a risk is demonstrated -- for instance, when they discover the presence of a rootkit on a file server.
Put another way, only one-quarter of companies are mostly or always reactive to security incidents -- waiting to implement changes until after a breach, or until they're forced to do so by law or regulation. Eighty-one percent are mostly or always proactive, implementing changes as soon they become aware of a vulnerability or exploit (see Figure 4).
A proactive approach in the face of emerging threats is a double-edged sword, however. Companies that rush to install patches without adequately assessing the risk to their systems -- or without testing their impact on server functionality before rolling them into production-may create more problems than they solve.
New security regulations are the primary drivers of security change.
REALITY: Most organizations are motivated to adopt security measures for other reasons.
HIPAA, GLBA, Sarbanes-Oxley, Basel-II, the California Security Breach Information Act (SB-1386) -- it's commonly assumed that these and other security-related laws and regulations are driving companies to ramp up their data security and privacy controls. While that's partially true, it's not the whole story.
Previous Information Security surveys show that most infosecurity managers support the government's involvement in mandating fundamental practices. Sixty-one percent of security pros say they'd support a law requiring minimum security practices, according to a January 2003 "Information Security survey."
Indeed, in some organizations, regulations are the only weapon security has to convince management that they must implement data security controls. As the saying goes, the executive suite doesn't care about "good" security; it cares about "good enough" security -- good enough to keep the auditors at bay.
For most security managers, however, "good enough" isn't good enough, and government regulations, while useful in many ways, are not a primary driver of security activity. According to the Information Security Annual Survey, only one in three organizations said they'll wait to implement security changes until they're required to do so by law or regulation. Forty-five percent of respondents said regulations "never" or "rarely" drive security actions (see Figure 5). The majority of respondents are motivating security change through more proactive security strategies and activities -- when budget permits, of course.
"Most security measures implemented are because I am trying to be proactive for as little cost as possible," says one survey respondent, a network specialist in retail.
Only well-funded security departments and three-letter government agencies do formal IT risk analysis.
REALITY: Most organizations conduct some form of risk measurement.
At its heart, infosecurity is about determining the value of data and implementing appropriate safeguards. Risk analysis is the process of aligning security spending with identified risk, preventing you from spending a dollar to protect data worth a dime. All of which is great, except who has the resources, time or wherewithal to conduct formal risk assessments?
Turns out that 85 percent of organizations do, according to the Information Security survey (see Figure 6). More than half of surveyed organizations conduct qualitative assessments, which involve informal risk ratings, consultations with data owners and scenario-based risk modeling.
Surprisingly, 40 percent conduct more difficult quantitative assessments, which attempt to assign numeric values to assets and present potential losses in terms of actual dollar figures. Almost as many organizations say they perform benchmarking, a comparison of their security policies and practices with that of similar organizations.
"The only way to know your risks is to measure them," says the CTO of an IT consulting firm. "Periodic and on-demand testing helps us know our risks. Independent verification testing helps us with perspective."
Not surprisingly, the level and depth of risk analysis corresponds with company size. Larger organizations measure risk up to 25 percent more often than smaller organizations (see Figure 7). And almost twice as many very large organizations do benchmarking as small- or medium-sized companies.
Security procedures and technology adoption are hit and miss.
REALITY: Organizations implement a common set of "must-have" security measures.
Organizations often struggle with institutionalizing security "best practices" because they've discovered that what's best for someone else -- even a peer organization in the same industry facing similar challenges -- isn't what's best for them. Idiosyncrasies in network infrastructures combined with unique business demands make security best practices extremely difficult to codify.
However, organizations of all stripes and sizes have standardized on a set of basic technologies required for data security, according to the survey. Antivirus, perimeter security (e.g., firewalls) and network authentication are risk mitigation techniques that are almost always implemented in organizations (see Figure 8).
On the other hand, the survey also shows that some organizations still have a long way to go before they achieve "security maturity." While it's fashionable to talk about the importance of employee awareness programs and a defense-in-depth security architecture, organizations by and large don't consider these must-have security practices.
The increase in employee/contractor fraud, intellectual property leaks and corporate espionage has prompted organizations to change their focus from hackers and viruses to "insider security" issues.
REALITY: Mitigating external risks still consumes most security resources and time.
The boundary between "internal" and "external" risk continues to erode, as virtual networks, a mobile workforce and partner/supply-chain extranets replace traditional castle-and-moat infrastructures. It's never been more difficult to pinpoint exactly who's an insider, and who's not.
As the line between good guy and bad guy blurs, security pundits have predicted that organizations will devote more attention to risks posed by those closest to the data: their employees. But according to the SearchSecurity survey, that's not that case. When it comes to the security of Internet and intranet Web sites, 22 percent more security managers are concerned about outsider attacks than about insider security breaches (see Figure 9). Similarly, 26 percent more managers were concerned about an outsider attack on the network, data systems or applications. And despite the potential for huge loss, only one-quarter of respondents were "very" or "greatly" concerned about intellectual property theft or espionage by a corporate competitor.
Maturing, But Not Mature
Taken together, the Information Security Annual Survey and SearchSecurity users survey show that IT security is becoming more professional. Bolstered by an increase in security spending, enterprises across the economic spectrum have adopted a set of security technologies and risk mitigation practices. Most organizations are making security decisions on the basis of measured risk, not on industry hype or FUD. And security departments have become proactive in their response to identified threats, as the interval between the announcement of security vulnerabilities and public exploits becomes shorter and shorter.
All of these trends point to a maturation in infosecurity practice and a continued acceptance of IT security as a part of doing business.
But there's still a long way to go. While budgets are up dramatically, security spending isn't driven by identified threats to the organization, but rather by the size of the installation base of computing equipment -- more equipment, bigger budget. What's more, budgets are up in large part because of the endless barrage of viruses and worms, prompting most companies to adopt a standard set of defensive technologies: firewalls, AV and network authentication. In the background, areas of higher risk -- damage from insiders, corporate espionage, user ignorance and apathy -- receive less attention.
Bottom line: security's not the pimply adolescent it once was, but neither is it ready take over the family business.
About the authors:
Andrew Briney, CISSP, is Information Security's editorial director.
Frank Prince is an independent IT consultant and former security analyst at Forrester Research.
- CW+: Bloor Research - EU Compliance and Regulations for the IT Professional –ComputerWeekly.com
- Mobile Device Data Protection: Key Findings and Players in the Market –SearchSecurity.com