Research ResultsBy Terry Kirkpatrick | Posted 08-01-2001
For CIOs and senior technology strategists, IT security is a study in contrasts. On the one hand, it's a topic CIOs repeatedly cite as one of their most important issues, if not the most important. Yet a June CIO Insight study of 556 CIOs and senior IT executives suggests that their non-IT colleagues simply do not share their sense of urgency. Perhaps that's because, according to the survey, relatively few security breaches have hit their organizationsand most of those are of the "nuisance" variety, which doesn't cost a lot of hard dollars. Unfortunately, security is like insurance: You never know when you'll need it. By Mike Perkowski
Overall, respondents rated security an average of 8 on a 10-point scale of importance as both an IT and a business issue for their organizations; this held true for companies of all sizes, highlighting how much publicity security breaches and viruses have generated in recent years. But they were less positive about the security readiness of their organizations, and far less sanguine about the security awareness of their organizations' senior business executives.
The survey results also paint a portrait of the most security-conscious IT executives and their companies. This picture not only suggests that there are gaps in how even the most sophisticated CIOs view security practices, but also points the way to developing a more secure enterprise.
Among the many thousands of networks that caught the "I Love You" virus last year was the one Cliff Harrison manages at Atlas Technologies Inc. in Fenton, Mich.
"It took my network down for about two hours," Harrison says, "and it costs us about $7,500 an hour if the network is down for any reason." Harrison is the information systems manager at Atlas, which supplies carmakers and other companies with manufacturing equipment. His experience puts a human face on the billions of dollars in damages the virus caused worldwide.
So this year Harrison will be installing network-supported anti-virus software, replacing the programs on individual workstations. "Typically, we would discover that users were two months to two years behind in updating their virus definitions," he says.
And so it goes, day after day, in every company, university and government agency we spoke to: a never-ending parry and thrust with those who threaten the security of their networks. Indeed, 77 percent of respondents to this month's security survey were hit by viruses last year. "Ultimately, with everything changing, you're in a constant battle," says Michael Schick, vice president for technology at Heitman Financial LLC, a real estate investment firm in Chicago. "Everything has to be updated as you get new and different threats."
Organizations must be constantly vigilant, says Richard Pethia, director of the CERT Coordination Center, a government-funded organization dedicated to network security. "New technologies bring new vulnerabilities," he says. "And we're constantly discovering vulnerabilities in old products." He expects that the number of vulnerabilities reported this year will be double last year's number.
As a result, CIOs are devoting more money and time to security. Harrison's security bill at Atlas nearly doubled this year, and more than half of our respondents will be spending more this year. And the costs will continue to grow as the world becomes more interconnected, and as the cleverness of those who would cause harm increases. In 1989, CERT/CC counted fewer than 200 security incidents (the Melissa virus, for instance, and everything that resulted from it counts as one incident). In the first quarter of this year alone, CERT/CC recorded more than 7,000 incidents.
No one is immune. When 30 computer security experts involved in a spare-time endeavor called The Honeynet Project hooked a typical computer network to the Internet to see what hackers would do, it was probed and exploited in 15 minutes. "You're dealing with intelligent adversaries who are going to find your weak points," Pethia says. "That's what makes it different from other kinds of risk management."
Network managers must balance security against the business advantages new technology brings. "My biggest issue is allowing our users to do everything they need to do to be efficient from a business standpoint, without opening the door to an attack," says Schick. At Heitman, investment deals were once made in person or on the phone. "Now even big deals are done by e-mail at some point. If a big deal was being done and our network went down, it could cost us millions," he says. He's now working through the security implications of Web-enabling parts of the business.
The CIOs we spoke to understand the key role employees play in security. Some take precautions when employees are being dismissedquickly removing their network access, for example. And everyone knows that education is key. "Your people can definitely cause you problems if they don't do the right thing," says Jim Fulton, corporate director of MIS at Ulbrich Stainless Steels & Special Metals, Inc., in North Haven, Conn. "We try to teach them good practices, such as what to do with strange e-mails. But we also have a facility to automatically update virus definitions on everyone's desktop, because if they had to remember it would never get done."
Employees can be allies in the battle. "We view our staff as a strength of our overall information security program," says Douglas Nagel, technology officer for Nationwide Federal Credit Union in Columbus, Ohio. "They are the ones who make sure viruses don't come in and holes aren't created in the firewall. They have to understand that our business is built on trust, and their role in maintaining that trust is critical."
It's also necessary to win support in the corner office. "Usually for me it's not an issue," says Fulton at Ulbrich, "because, in the case of a virus outbreak, everybody is affected. It's very visible, and anything we do is appropriate as far as they're concerned. Some esoteric things, like VPN hardware or encrypting outside communications, that's a little harder to sell. They want to know what it's going to cost and what's the risk. They can understand it on a gut level, but after all, we're not the Defense Departmentwe don't make nuclear arms, we roll and distribute stainless steel."
Nagel at Nationwide has created a team, consisting of himself, the company's security officer and the internal auditor, that meets regularly to review risks and then makes recommendations on spending. Pethia at CERT/CC encourages technical and business-side people to work together, since they will bring different perspectives to the matter. This collaboration should be part of an organizationwide, comprehensive plan, Pethia says, to prevent companies from focusing on one aspect of security and overlooking others. "Security is a mindset and a management practice as much as it is a technology," he says.
Nevertheless, one-third of our respondents indicated some difficulty in enlisting the support of senior executives at some point. Harrison at Atlas, who has been successful at it, says it's more political than technical. Full communication and credibility are important. "I don't believe in dealing with problems unless they really are problems," he says. "I don't impact the user any more than absolutely necessary."
The risk and the response vary from one industry to another. Says Ulbrich's Fulton: "There are lots of things that make us who we aremostly our people and the processes we have. It's not like there's data on our servers that makes us who we are. Here, our product is millions of pounds of stainless steel out in the warehouse. They're not going to come and take that away. But in a financial institution, the data is the product. And you don't need a stethoscope and sandpaper. All you need is a computer and a modem."
Indeed, at Nationwide, Nagel has had to conform to the Gramm-Leach-Bliley Act of 1999, which governs financial institutions and the privacy of their customer information. "Privacy is critical by law," he says, "and it's the security that enables privacy. We have to prove that we are securing our members' information. We're subject to at least an annual review. In the past it was 'Show me your vaults, show me your cameras, show me your paper-shredders.' Now it's 'Show me your password policy, show me your firewall.'"
In the end it's difficult, perhaps impossible, to measure the return on investment in security. But perhaps that's the wrong way to think about it. "It's difficult to say we are overspending or underspending," says Heitman's Schick. "You can't overspend, really. You have to protect your data. It only takes one timeone hacker getting in and stealing all your financial data. It would be irresponsible on my part to not have the toughest security possible."Terry A. Kirkpatrick
Security Matters Procedures in Place Risk Assessment Cost of Doing Business
When it comes to security readiness, size doesn't matter. Larger companies (those with at least 1,000 employees) typically devote larger portions of their IT department's staff and budget to security measures, but they are also more likely to have suffered security breaches, to have seen the number of security breaches increase from the previous year and to have experienced more serious security problems.
Larger companies suffered an average of four security breaches in the past year, compared with just two breaches for companies with fewer than 1,000 employees, CIOs said. Those security breaches cost larger companies $79,000, compared with $56,000 for smaller companies.
Denial-of-service attacks were far more likely to have occurred at larger organizations, 36 percent of whose CIOs said their company suffered such an attack in the past year, compared with just 17 percent at smaller companies. Larger companies were also more likely to have been hit with a virus than smaller companies (81 percent versus 74 percent), and more likely to have had their Web sites defaced (27 percent versus 20 percent).
What does the security-conscious CIO look like? Not surprisingly, CIOs who place a high priority on securitythose who rated security a 9 or 10 as an IT issuewill spend an average of $425,000 this year on security measures and technologies, while their counterparts who rated security 8 or lower will spend an average of $210,000.
Security-conscious CIOs were also more likely than their counterparts to:
- Meet with their senior executives to discuss security issues (73 percent versus 59 percent);
- Have a dedicated chief security officer (43 percent versus 25 percent);
- Perform a formal assessment of security risk (59 percent versus 41 percent);
- Conduct simulated security breaches (43 percent versus 26 percent);
- Force users to change passwords more frequently (75 percent versus 60 percent);
- Consult with vendors about their own security precautions (56 percent versus 42 percent).
The role of senior business executives in beefing up security is significant, and CIOs responding to the survey expressed concerns with their executives' approaches to security. Indications are that CIOs often see their executives as paying lip service to aligning their companies' business practices with security concerns. At the same time, CIOs don't seem to be taking all the steps they could or should be taking in order to make security a higher priority for their companies.
CIOs gave their senior business executives a sub-par average score of 4.5 on a 10-point scale of security awareness. CIOs who cited security as a high priority graded their execs slightly higher: 5.1, versus 4.1 from less security-conscious CIOs.
Sixty-five percent of respondents said they'd met with senior executives during the past 12 months to discuss security. And 74 percent said their colleagues understood the concerns raised and seemed willing to make changes to business practices to make their companies more secure.
Still, a full 30 percent of CIOs said those same business executives forced their CIOs to cancel planned changes to business practices to ensure better security after receiving complaints from business units or end users.
Just 48 percent of respondents said their IT departments had performed a formal risk assessment to determine their organizations' current level of security risk. And only a third said their companies conduct simulated security breaches in order to determine their points of security risk.
There aren't many significant differences between CIOs who assign a high priority to security and those who don't, in terms of what security features they've put in place. Antivirus software and firewalls are far and away the most frequently deployed technologies.
Desktop antivirus software is either already in place or in the process of being installed by 95 percent of the CIOs' companies, while server antivirus software was cited by 89 percent. Firewall appliances were mentioned by 80 percent of the respondents, followed by firewall software on discrete servers (70 percent) and desktop/notebook inventory software (67 percent).
Technologies not yet widely deployed include decoy services (10 percent), risk-assessment software (21 percent) and PKI (Public Key Information) document encryption (23 percent).
The only significant divergence between CIOs who view security as a high priority and those who do not is in the use of risk-assessment software (29 percent compared with 15 percent), PKI document encryption (30 percent versus 18 percent), hybrid intrusion detection (42 percent versus 25 percent) and managed security services for firewall management (51 percent versus 34 percent).
IT security involves a relatively straightforward risk-management equationthe more security you put in place, the more onerous it is for end usersand until the technology arrives to make impenetrable security invisible to end users, it will remain that way. The CIOs we surveyed clearly fall on the side of increased security, and while they fault their non-IT cohorts for lack of security awareness, they appear to be realistic about the burden it puts on their companies' business units. But CIOs aren't instituting enough of the high-profile risk-assessment measures that would increase awareness of the problem throughout their corporations.
How the survey was done: CIO Insight designed the security survey in partnership with Survey.com, a San Jose, Calif.-based supplier of online research services. The study was e-mailed to CIOs, CTOs and vice presidents of information technology and services gathered from a number of sources, including third-party lists and other Ziff Davis Media publications. The survey was posted on a password-protected Web site, and 554 people responded from June 12 to June 14.