News Stay informed about the latest enterprise technology news and product updates.

Gartner: Security budgets are up, so is accountability

An analyst at the Gartner ITxpo said IT administrators and security officers will be held to a higher degree of accountability in 2004 because security budgets are inching upward.

ORLANDO, Fla. -- When Gartner Inc. vice president John Pescatore looks to 2004, he sees a couple of things that security administrators need to worry about, and they're not just in the realm of malicious code.

Next year, the security budget for the average enterprise will, for the first time, constitute more than 5% of its overall IT budget, Pescatore said Monday during a session at Gartner ITxpo. So, for many, 2004 will be the first year that security spending shows up on the CIO's pie chart.

Quantifying security
At a session Monday at Gartner's ITxpo, John Pescatore, a vice president at Gartner Inc., urged security administrators to learn how to quantify the work they do. Here are some figures that he suggests security officials should know:
  • How many machines were hit in the last virus attack? How many were hit in the prior attack?
  • How much time generally passes between the time a critical vulnerability is announced and the time that systems are patched?
  • What percentage of known attacks is the organization vulnerable to?
  • When was that percentage calculated?
  • What percentage of company software, people and supplies have been reviewed for security issues?
  • What percentage of critical data is strongly protected?
  • What percentage of the company's revenue (not just the IT budget) does security represent?
  • What percentage of downtime is the result of security problems?
  • What percentage of nodes in the network are managed by IT?

What that means, Pescatore said, is that CSOs had better be ready to quantify what they're doing, in terms as clear as those used by network administrators, who can describe their performance in terms of downtime statistics, or by help desk officials, who can talk about how quickly they resolve system problems.

"I really think the key challenge that we're going to face over the next couple of years is demonstrating that we're delivering some sort of [specific] security service level and defending how much money is being spent to achieve that service level," said Pescatore, who is vice president for Internet security at Stamford, Conn.-based Gartner Inc.

His session, titled "Information Security Scenario," was one of three security presentations. Others focused on cybersecurity threats and security architecture.

In an interview after his talk, Pescatore added that security is always a big draw at the Gartner show. He estimated that generally about 25% of conference attendees come for security. Overall, about 6,000 people are attending this fall's ITxpo, which began Sunday and runs through Friday.

"It's an important topic," said Robert Loomis, an assistant director of IT at the New York State Employees Retirement System, which, as part of the state comptroller's office, is currently working on a security policy. "It's helpful to see this, to kind of confirm the goals that we've got. We've done a good job, I think."

Some of the advice that resonated for Loomis included the notion that organizations should establish enterprise-wide goals before adopting specific rules.

Other advice that was offered includes: Take insider threats seriously. Learn to speak the language of business managers. And don't buy shoddy software -- make vendors demonstrate that their products are secure.

Other observations were less intuitive. For instance, Pescatore said admins shouldn't expect to see smart cards and biometrics become the norm anytime soon. Rather, among the new methods of user authentication, he singled out a different winner, one that involves the use of cell phones. With this method, a user logs into his account, is prompted for his password, and then a text message is sent to his cell phone with an additional code he must key in to the computer.

Another idea Pescatore pegged as a myth is the notion that "security is a journey," not a destination. The saying is one frequently used to communicate the point that organizations should never cease thinking about security. While that may be true, Pescatore said, the journey can't be entirely free flowing.

"We're on a cruise to nowhere," Pescatore said, gently poking fun at those who adopt the journey-not-a-destination mantra. He added, "You better have some waypoints along the way, if you're on this cruise." To address that issue, Pescatore offered some tips on how to quantify security-related metrics. (See sidebar.)

Attendee Robert S. McKeeman said that he found those tips useful and that he enjoyed the discussion of accountability.

"I think that's an issue," said McKeeman, who works on a contractual basis for the cybersecurity division of the U.S. Department of Veterans Affairs. Asked whether he faces the kinds of accountability questions Pescatore described, he said: "all the time."

Others, however, said they would have liked to see more specifics. At the close of the third hour-long session, Don Morrison, director of IT services for Novell Inc., said, "It's difficult in an hour to get to the meat of the issue."

Asked what sorts of details he'd have liked to see, Morrison said that, since he's so focused on his own environment, he finds detailed best practices of other companies to be useful.

Still, he added that it's understandable that that sort of data isn't being shown on slides at the ITxpo: "Of course, security is a real hard area to get case studies for," since most companies don't want to reveal detail about their security operations. Morrison did reveal one fact about Novell, though: The company dealt with 800,000 attempted attacks in August, way up from only 2,500 in May.

"We have done pretty well," he said. And that's with less than 5% of the IT budget.


See these Best Web Links on security budgeting

See this week's Featured Topic on our Security Decisions coverage

Dig Deeper on Security vendor mergers and acquisitions

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.