OverviewBy Terry Kirkpatrick | Posted 02-01-2002
After the events of Sept. 11, we decided to repeat our August survey on security. We found signs that security is now taken more seriously: Actual security spending increased, IT executives are more thoroughly enforcing security procedures, and line executives are more willing to improve security practices. But as in August, only about half the companies polled plan to increase security spending, and general managers still aren't security savvy. Overall, security, already a top priority, has gained more importance.
The vast majority of non-IT executives are willing to modify business practices to support better security measures, with 87% of our sample reporting such support, up from 74% reported in August. But when it comes to understanding security, IT executives believe their business counterparts only rate a 4.9 on a scale of 1 to 10up only slightly from 4.5 in August.
The number of large companies that plan to increase security budgets over the next 12 months actually dipped slightly, with 57% planning increases last August and 52% in this survey. But when asked for specific dollar amounts, 18% of the February respondents from large companies said they intended spending more than $1 million in 2001a figure anticipated by only 7% last August. The number of all companies that spent 5% or more of their overall budget on security grew from 43% in August to 53% in February.
Lynn Greiner was on an airplane preparing to land at New York's LaGuardia Airport the morning of Sept. 11. As the plane banked into the landing pattern, the World Trade Center towers came into view through the left windows. Just then, she saw the explosion.
When the plane landed, phone lines were clogged, but Greiner, vice president of technical services at Ipsos-NPD Canada Inc., a marketing research firm in Toronto, was able to get a message to her office by wireless e-mail: "Be wary. The nuts are going to come out of the woodwork."
What actually happened was anthrax, she says, not the cyber-maliciousness she had envisioned. Still, Sept. 11 brought the matter of IT security more clearly into focus in most organizationsevident in a comparison of our survey results with those from our first security survey six months ago.
"Once you ask yourself whether you're prepared for cyberterrorism, the answer will tell you how prepared you are for disgruntled employees, competitive espionage or disasters," says Giga Information Group Inc. Vice President Steve Hunt. "That's why security is on so many people's minds. Asking the question is enough."
Ed Ruppel agrees. He's assistant vice president for application architecture in the Fort Wayne, Ind.-based annuities group of Lincoln National Corp. "September 11 was more about disaster recovery and business continuity," he says. "But it has made us take every possibility as a serious threat. It just raised our awareness. Employees are more tolerant of security measures, such as those meant to stop e-mail-borne viruses. Before, it was, 'Why do we need this?' Now, it's, 'Well, we understand.' It's a mind shift in the right direction."
Most CIOs we spoke with, however, said Sept. 11 changed little in their security operationsexcept for a few more meetings. "I get in a lot of meetings just to quiet things down," says Dick Price, CTO at Crane, a printer and publisher in Harwich, Mass. "September 11 scared some of our executives half to death. Once they realized that we have our disaster recovery plans, off-site backup [of working and archival data], and that we have been backing up, and have been taking care of business, they said, 'Oh, not a big deal, okay.' Everything worth saving here gets backed up in real time. Then just to be really safe, we make another backup. Now we have three complete, real-time images of secure data."
All this should be second nature, Price says. "Part of every deployment should be preparing for redeployment. At the time you deploy an application you should ask, 'What if the building melts?'"
Most companies have not changed their security budgets because of Sept. 11, says Huntmost had already planned a 4 percent to 5 percent increase in 2002. A subset of companies, however, immediately pushed their total IT budgets up by one percent to three percent for added security. "These are companies that consider themselves part of the national infrastructuredefense contractors, telecomsand thus at greater risk to cyberterrorism," he says. "Their immediate need is people who can help make sure systems are patched with updates. They are reviewing architectures, and composing and promoting security policies. To quite a large extent, they are hiring senior managers of security, even at the executive level."
The impetus for these efforts often comes from the top. At several very large corporations he works with, Hunt says, "the CEO called in the head of IT security and the head of physical security after Sept. 11 and asked, 'Are we prepared?' The two guys had never met each other before! That is panicking CEOs, who are thinking, 'What in the world are we spending our money on? What's our policy? Do we even know what we're doing?'"
While some companies in the financial services, insurance and defense industries are dramatically increasing their information security and disaster recovery budgets, it's not surprising that others haven't yet done so, says Don Ulsch, cofounder of ObServitus Inc., a network security and disaster recovery company in Boston. "It's too soon," he says. "They're trying to identify solutions. You just don't go out and invest helter-skelter. You don't just pick a solution off the shelf. It has to be part of your overall business strategy. You've got to look at all the considerations, all the business processes and how they will be impacted by security, what the disaster recovery plan looks like, what the worst-case scenarios look like."
Indeed, the number of cyber break-ins and vulnerabilities continues its inexorable rise, doubling in 2001 over the year before, says Richard Pethia, director of the Pittsburgh-based CERT Coordination Center, a government-funded organization dedicated to network security. "This puts a tremendous strain on system administrators, who have to get upgrades and patches and just stay on top of the flow of information," he says.
Viruses are the biggest headache for our survey participants90 percent have suffered a virus attack, up from 77 percent six months ago. "There are more of them, and they're nastier," says Greiner at Ipsos-NPD Canada. She and other IT executives say that educating users is paramount. "There's only so much nailing down of things you can do," Greiner says. "Without locking yourself in a steel cage and passing food through a little window, there's not much you can do." Half of our respondents have beefed up employee security training since Sept. 11.
Robert Wilson, CTO at Tessco Technologies Inc., a value-added distributor of wireless products in Hunt Valley, Md., says viruses are his chief worry as well, and in response, he's moved to thin clients. Since these desktop machines are essentially terminals that run programs residing on the server, it allows Wilson to centrally manage software revisions and patches. "We've also begun to standardize our laptops," he says. His old IT environment "had become a nightmaredifferent computers, different software versions, all kinds of compatibility issues."
The real need, Pethia says, is for organizations to fully understand what information is critical, where it resides and how it's at risk. "Organizations that call us for help often have never really set priorities on what is most important to protect," he says.
While our survey found that only 14 percent of respondents place responsibility for data security in the hands of a chief security officer, Giga's Hunt says, "Suddenly a chief security officer is the most fashionable thing in the world. My phone is ringing off the hook asking for advice on this." That's because the chief security officer's job "is not to secure the parking lot or the network; the job is to secure the business," says Hunt. "So many of these threats, even cyberterrorism, originate inside the corporation. Get a tainted employee on the payroll, and it's all overa firewall won't amount to diddly-squat."Terry A. Kirkpatrick
The results are available in Adobe Acrobat PDF format. To download the free Adobe Acrobat Reader plug-in, click here.
Conclusion 01: Security Awareness
Comparing the results of the two surveys show that business executives are more willing to modify business practices in order to boost security, and that security has grown as a priority, but not by much: Security's importance to the enterprise, both as an IT issue and a business issue, has inched up just slightly.
Security is only a slightly more important issue for top IT executives now, but that's mainly because security was already a top priority to them. In August, security rated an 8 on a scale of 1 to 10 as an IT priority; in February, it crept up to 8.3. The same is true of security as a business issue: It rated a 7.3 in August and 7.6 in February.
Companies are slightly more assured about the adequacy of their security systems now, rating their confidence at 7.2 on a scale of 1 to 10, up from 6.8 in August.
We learned in August that IT executives don't perceive their non-IT counterparts as being savvy about security. The events of Sept. 11 didn't change things: IT execs say security awareness hasn't increased significantly outside of the IT department. On a scale of 1 to 10, the mean was 4.5 in August; it's only 4.9 now.
Still, the terrorist attacks seem to have had an impact on non-IT executives. In August, 74% were willing to make changes to the way they did business; that figure jumped to 87%.
Conclusion 02: Spending
Security spending for 2001 was significantly higher in the most recent sample, especially for larger companies. Security spending as a percentage of overall IT budgets also rose. But somewhat fewer security budgets are projected to grow as fast for 2002. One explanation is that while 2001 security investments rose, the rate of increases won't be carried over by as many companies into 2002.
Security spending as a percentage of overall IT spending rose from 43% (companies that spent 5% or more of their overall IT budgets on security) in August to 53% in February. This was especially noticeable for large companies that spent 5% or more on IT, which jumped from 37% to 51%.
Security spending in 2001 also rose in real dollars at large companies. When asked about specific budgets, 18% of large companies in February said they thought they would end up spending more than $1 million in 2001 compared with only 7% in August.
However, for large companies, there's a minor drop in projected spending increases for 2002. In August, 57% said they'd increase security spending over the next 12 months. That response dropped slightly in February to 52% though it's not clear if this is due to tough economic times or some other factor.
Conclusion 03: Security Breaches
One indicator (albeit backward-looking) of the security challenges facing CIOs is the number of actual breaches that have occurred. The results are decidedly mixed: Most network hacking categories are down, but virus and denial-of-service attacks are up. Intrusion costs have increased, although their impact on productivity wasn't overwhelming.
The number of security breaches reported in the past 12 months went up slightly, from an average of 2.8 reported in August to 3.1 in February. That increase, however, was mostly due to more IT executives from larger companies committing to specific numbers.
Our February survey uncovered that a whopping 94% of large businesses reported a virus intrusion in the previous 12 months. Large companies reported a significant increase of data stolen or compromised due to network hacks: 8.1% in February compared with 4.2% in August. Virus attacks increased from 77% to 90% between the surveys, and denial-of-service attacks went up from 26% to 34%. But penetration of enterprise networks by hackers is down from 45% in August to 33% in February in the case of hacks that did not result in theft of data or Web site defacement.
Still, other than lost productivity, the impact of these intrusions was relatively small. While 10% said their customers couldn't retrieve information at some pointup slightly from nearly 8% in Augusta substantial 79% said they'd only lost productivity, vs. 73% earlier.
The cost these intrusions to large companies has risenfrom a mean of $78,499 to $156,770. But that's largely due to the fact that 6% of larger companies claimed damages of more than $1 million.
Conclusion 04: Practices
Several new questions posed in our recent survey indicate improvements in such security practices as requiring outsourcers to follow company security guidelines. Many firms have policies to physically protect data, have an IT executive in charge of data security and assigned more IT staff to security. But more than half of them have yet to perform a formal risk assessment.
Only 47% of respondents in February said their IT department has carried out a formal assessment of their security vulnerabilities. That's slightly down from 48% in August.
A resounding 92% of all respondents have policies for physically protecting their data storage systems. Such procedures are in place at 88% of small companies.
The person responsible for data security is an IT executive for 72% of respondents, and 24% of the time it's someone with "security" in their title, such as a chief security officer or a vice president or director of security.
At 59%, many but far from all companies require their third-party outsourcers to comply with their security regulations. That rises to 67% for the large companies surveyed.
Overall, IT executives have increased the percentage of IT staff devoted to security slightly from 3% of employees to 4%. In February, 16% of polled companies said they assigned 11% or more of their IT staff to security, up from 8% earlier.
Conclusion 05: Response to Sept. 11
Activity since Sept. 11 seems to have focused mostly on improving employee training and enforcing existing security procedures rather than on creating new ones. But when it comes to cyberterrorismthe threat of malicious attacks against IT resourcesCIOs can be seen, at best, as moderately concerned.
CIOs have clearly been active since Sept. 11. When asked what changes they've made in security procedures since that date, 62% of all respondents said they are more stringently enforcing existing procedures. Half have focused on better employee training, and 35% have either begun or implemented a new security plan. But only 14% are screening IT personnel more thoroughly, and 3% created the role of chief security officer.
Cyberterrorism is a concern for IT executives, but not a very high oneit rated a mean of 6.2 on a scale of 1 to 10. That may be due to the fact that Sept. 11 was much more about physical rather than digital terrorism.
Only 4% of the companies that have performed a formal security risk assessment claim that Sept. 11 spurred the most recent assessment.
Security was an important concern for CIOs before Sept. 11, but it has become an even higher priority following the attacks. Companies have invested both financial and human resources to bolster security, and have made some improvements to their security practices. However, CIOs do not show the same high degree of concern for cyberterrorism. Given the nation's and the economy's dependence on computer networks, and the fact that less than half of our respondents' companies formally assess their security vulnerabilities, CIOs should consider devoting more attention to the threat of a cyberattack and review their security processes. And while line managers are more willing to support steps to improve security, the middling marks they receive for security awareness indicate further education is in order.
How the survey was done: CIO Insight designed the security survey in partnership with Survey.com, a San Jose, Calif.-based supplier of custom research services. CIOs, chief technology officers, and vice presidents of information technology and services gathered from a number of sources, including third-party lists and other Ziff Davis Media publications, were invited to participate in the study by e-mail. The new questions for February were posted on a password-protected Web site, and 642 people responded from Dec. 6 to Dec. 10. The results that were first published in August were posted from June 12 to June 14, and are based on 554 respondents.