Sixty-six percent of respondents say their vulnerability to breaches and malicious code attacks is either the same as last year or worse.
Since when is “no worse than before” an acceptable return on investment? The solution lies in securing to specific threats. The problem is that IT lags well behind other disciplines in adopting systematic risk management processes. But those technology professionals who have made the leap into classifying IT assets, assigning values, evaluating threats, then determining where and how to mitigate risk find the process to be extremely valuable. In short, risk management principles bring rigor to information security.
Here’s one illustration from our security study of how risk management can focus companies on the most important threats: Insecure coding practices are a pox on all our houses.
Roughly half of respondents whose organizations have risk management plans in place specify security features at the time of application design.
Of those without risk management plans, just 22% focus on code security.
We need the jolt that this security study provides.
Twenty-one percent of companies never conduct security risk assessments, and of those that do, just one in five imposes the rigor of using a specialized external auditor.
This despite 63% contending with government or industry regulations related to data security, many of which don’t give adequate guidance on how to comply. Best practices are the best defense in such gray areas.
mployee data.
We had hoped that the ongoing parade of high-profile data losses would set most companies on the road to comprehensive privacy protection. So we were discouraged that the only actions to safeguard customer data that are used by more than half of companies are … informing employees of standards and putting a privacy policy on the Web site.
Fine steps, but they don’t exclude the need for encryption (used by 34%) or privacy policy audits (25%). Amazingly, 11% say they have no privacy safeguards for customer data.
We could go on, and we will. But we need to stop for a second and ask, what gives?
WHAT DO WE GET FOR THE MONEY?
There’s no blaming the financial powers that be. For nearly 30% of respondents, security accounts for at least 11% of the total IT budget.
The bad news: Viruses, phishing attacks, and worms continue to cause headaches, and companies keep pouring money into firewalls and antivirus protection.
Speculation that these product categories would fade away, or at least be assimilated into other technologies, is premature, as 13% say their vulnerability to breaches and malicious code is even worse than last year.
And they’re the only two product categories rated as effective by more than half of respondents.
Complexity, cited as the biggest security challenge by 62% of respondents. More data is ending up on the network. More agents are running on company computers, and employees expect some control over the PCs they use. As travel and energy costs skyrocket, companies are increasing the use of branch offices and teleworkers, a trend that spreads data far and wide as people expect to work securely from customer sites, home, or the coffee shop down the street. Complexity also stems from juggling multiple compliance requirements, training and educating staff and users in security awareness, and coping with increasing technical sophistication of networks.
Most organizations–63%–must comply with one or more government or industry regulations, many of them vaguely worded and offering little guidance on translating requirements into technology. To meet compliance goals, Kevin Sanchez Cherry, information systems security office program manager with a U.S. government department, says he applies best practices, which he determines by consulting a variety of sources, including the National Institute of Standards and Technology, the SANS Institute, and colleagues facing similar challenges.
Electric Insurance spends about 20% to 25% of its project planning time on risk analysis and management, says Michael Hannigan, manager of systems engineering and support. Because the entire process, from planning to postproduction, includes risk analysis, Hannigan finds potential problems are identified and addressed early.
Risk assessments primarily are used to develop mitigation policies and fix vulnerabilities; that can yield process-oriented efficiencies, such as leveraging databases to simplify asset management and policy compliance.
http://www.informationweek.com/news/security/management/showArticle.jhtml;jsessionid=TVNSCDTAPU452QSNDLPSKHSCJUNN2JVN?articleID=208800942