Covenant Health is a perfect example. Covenant Health wasn’t attacked, but the Slammer worm still infected the five-hospital network in Knoxville, Tenn. It slithered through a port left open to a Covenant service provider. That provider was also infected but not attacked; the worm had infected the service provider through a port left open to one of its partners.

To spin an old caveat: When you connect your network with a partner, you’re also connecting to your partner’s partners. Yet only 22 percent of respondents demand that partners practice safe business.

Covenant Health Senior Vice President and CIO Frank Clark learned the hard way. He now demands partners meet certain security requirements that he defines before they’re allowed to link to his network. "We now make them specify exactly what they want access to and what ports they need," he says. "What we’re finding is they themselves have a hard time knowing what they need access to." Clark hopes the corrective action causes a domino effect—that by requiring his partners to meet higher security standards, his partners will require their partners to do the same, and so forth.

To Do:

1. Pursue metrics and business justifications for security. Try to wean yourself away from using fear to justify security investments.

2. Set security requirements for anyone connecting to your network, and insist that partners and vendors meet those requirements.

No Correlations and Odd Correlations

It is difficult to find a relationship between good security and spending. And sometimes there’s even an inverse relationship.

Surprising:

The difference in spending between those companies that have

n 0-50+ incidents

n 0-10 days of downtime and

n $0-$500,000 damages in the last 12 months

never varies more than 1.06 percent.

Weird:

Companies that suffered more than a half million in security-related damages were more than twice as likely to say they were cutting their security spending as those who suffered no damages. Those who had more than 50 incidents and those who had more than 10 days of incident-related downtime were also more likely to decrease spending than those who reported no incidents and no downtime.

What the Numbers Mean

Since company size (and therefore budgets) varies so widely across the survey’s more than 7,500 respondents, the relative measure of security spending as a percentage of the overall IT budget provides a better comparative measure than the total spent on security.

The puny single percentage point between the highest spenders and lowest spenders shows that those suffering fewer security incidents didn’t necessarily spend more to stay secure. Or, conversely, those that were hardest hit didn’t spend any less than those untouched.