The State of Information Security 2003

1 2 Page 2
Page 2 of 2

The puny single percentage point between the highest spenders and lowest spenders shows that those suffering fewer security incidents didn’t necessarily spend more to stay secure. Or, conversely, those that were hardest hit didn’t spend any less than those untouched.

So you can’t accuse the companies that suffered breaches of not spending enough. But perhaps they didn’t spend well. The hardest question for IT security officers to answer clearly isn’t, "How much should we spend?" but rather, "Where and how should we spend?"

The answer: Probably not on technology.

Security expert Bruce Schneier of Counterpane Internet Security, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World, believes that technology has been hamstrung in its ability to protect companies because it hasn’t been matched by security awareness.

"Most of the time security problems are inherently people problems, and technologies don’t help much," says Schneier. "Photo IDs are a great example. Technologists want to add this and that technology to make IDs harder to forge, but I worry about people bribing issuing officials and getting real IDs in fake names. [At least two of the 9/11 terrorists did that.] Technology that makes the IDs harder to forge doesn’t solve that problem."

Then there’s the problem of companies not using the technology they have to its full potential.

Seven out of 10 survey respondents used intrusion detection systems, eight of 10 used firewalls, and nine of 10 used antivirus software. But only 50 percent of events were detected through those technologies or through security service providers managing those technologies for a company. The other half were detected the harder way—by customers, colleagues or the news media alerting the company to a breach, or worse yet, to damages the event caused.

Companies have deployed so much technology, and have generated so much data in the form of log files, that they often have given up trying to interpret the data. The haystack’s grown too big to look for needles in it, says Andrew Toner, partner in PricewaterhouseCoopers’ security practice. "When they give up," he says, "that’s when breaches happen."

Giving up is one way to explain the tendency of companies that were hardest hit by hacks to cut their security budgets. Maybe these companies were hard hit by something else—the economy—and are cutting budgets across the board.

But it’s just as likely that they’ve decided that the money they did spend was not spent well. Why? Information security has not, for the most part, adopted risk management as a philosophy. It’s still treated binarily: Either we’re safe or we’re not. Either the money we spent worked or it didn’t.

"People think in terms of threats, not in terms of risk," says T. Sean McCreary, a risk management specialist at The Motorists Insurance Group who previously served as a security manager and safety manager at two prisons. "Risk management allows you to assemble threats into some order or importance so the available funds can be used most effectively to prevent and prepare for the identified risks."

So why haven’t information security professionals adopted a risk management approach? "Because it’s harder," McCreary says. "It takes more time and effort and, of course, more knowledge."

To Do:

1. Spend for education and risk management training instead of technology.

2. Take better advantage of the technology you have by analyzing the data it generates, not simply viewing the technology as a tool to block attacks.

Why No One Hits .400 Anymore

The late evolutionary naturalist Stephen Jay Gould contended that complex systems (like nature or information security) evolve from wild variation in their youth to relative uniformity in maturity while maintaining an overall constant average in both.

To make his point, Gould, as was his wont, used baseball. In Full House: The Spread of Excellence from Plato to Darwin, he noted that throughout the history of the game the aggregate batting average of major league hitters has remained constant at about .260 but that there used to be a much higher incidence of .400 hitters than there is now. In fact, the .400 hitter could be said to be extinct. Ted Williams was the last player to hit over .400, and that was in 1941. Previously, Ty Cobb and Rogers Hornsby each did it three times.

How come no one hits .400 anymore, despite the fact that hitters are stronger, use better equipment and have access to advanced training technologies like video? The reason, Gould asserted, is because everything has improved around them, notably pitching and fielding. When baseball was young, no one knew the optimum way to pitch to a batter, or the best strategy for positioning fielders, or even what degree of success or failure was of professional caliber. But, over time, data has been assembled and analyzed, and best practices have emerged. Everyone gets so good at what they do, Gould asserted, that it becomes more difficult either to fail or to excel.

Information security in 2003 is where baseball was in 1922, a year in which three players hit over .400, many hit in the high .300s, and still more hit in the .100s.

Today, there’s wild variation in how well companies secure their enterprises. But over time, Gould would argue, data will accrete, best practices will emerge, information security will normalize, and everyone will move toward the mean.

Until then, however, some companies are Ty Cobb, and many, many others can’t bat their weight.


Copyright © 2003 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Download CIO's Winter 2021 digital issue: Supercharging IT innovation