Friday, February 13, 2009

2008 Security Survey: We're Spending More, But Data's No Safer Than Last Year

In the face of growing demand to target security investments based on risk management principles--a domain foreign to many CIOs and infosec practitioners--there's wisdom to be garnered from our peers.
By Mike Fratto
InformationWeek
June 28, 2008 12:02 AM (From the June 30, 2008 issue)


Zero in on the information security risks facing your company, or you'll likely find yourself overwhelmed. That's the overall message of our 2008 InformationWeek Strategic Security Study, which polled nearly 1,100 IT and business professionals about plans and priorities for securing their companies' assets.

Getting the money for security isn't the biggest problem: Fully 95% will see their budgets either hold steady or increase this year. It's that the money isn't making data safer. Sixty-six percent of respondents say their vulnerability to breaches and malicious code attacks is either the same as last year or worse. Since when is "no worse than before" an acceptable return on investment?
Here's one illustration from our security study of how risk management can focus companies on the most important threats: Insecure coding practices are a pox on all our houses. Roughly half of respondents whose organizations have risk management plans in place specify security features at the time of application design. Of those without risk management plans, just 22% focus on code security.
We need the jolt that this security study provides. Twenty-one percent of companies never conduct security risk assessments, and of those that do, just one in five imposes the rigor of using a specialized external auditor. This despite 63% contending with government or industry regulations related to data security, many of which don't give adequate guidance on how to comply. Best practices are the best defense in such gray areas.

Companies also are behind in implementing encryption to protect customer and employee data. We had hoped that the ongoing parade of high-profile data losses would set most companies on the road to comprehensive privacy protection. So we were discouraged that the only actions to safeguard customer data that are used by more than half of companies are ... informing employees of standards and putting a privacy policy on the Web site. Fine steps, but they don't exclude the need for encryption (used by 34%) or privacy policy audits (25%). Amazingly, 11% say they have no privacy safeguards for customer data. Zip. Zero.

We could go on, and we will. But we need to stop for a second and ask, what gives?

No comments:

Post a Comment