The State of Information Security 2003

The best place to start with “The State of Information Security 2003,” a comprehensive, exhaustive survey of global security practices conducted by CIO in partnership with PricewaterhouseCoopers, is with what it doesn’t include.

It doesn’t include any revelation that will make you slap your forehead and exclaim, “Oh, that’s what I should do!”

Nowhere in its pages will you find The Answer, because The Answer is a fiction, even if the problem—how to know if you’re making your enterprise as safe as possible as efficiently as possible—is not.

What this survey does include in its depth (7,500-plus respondents) and intricacy (44 questions cross-tabulated by company size, security budget, geographical region and dozens of other categories), is a profile of the imperfect and evolving world of information security. (You can view the entire survey at www2.cio.com/research and significant slices of it beginning on Page 86.)

According to the survey, you’re just beginning to appreciate information security as an ongoing discipline. You understand that establishing good security practices will be hard and will involve a complex integration of technology, education, risk analysis and regulation.

You know you need to do more, but the survey indicates that you’re not yet doing it.

In one sense, you can hardly be blamed for temporizing. As the survey shows, right now information security is a confused and paradoxical business. For example:

• You’ve increased spending significantly, and yet that investment has had no measurable impact on security breaches.
• You’re constantly warned about digital Pearl Harbors, yet the vast majority of reported incidents are relatively small.
• You’re told aligning security and business strategies should be a top priority, and yet those who’ve fared best avoiding breaches, downtime and security-related damages are the least likely to be aligned.

  All this may be out of your enterprise’s control. However, in other areas, information executives seem to be contributing to the confusion. For example:

• Respondents who suffered the most damages from security incidents were twice as likely as the average respondent to plan on decreasing security spending in the coming year.
• Those same respondents were nearly half as likely to list staff training as a priority.

In short, the survey shows that as much as the information security discipline has grown since its baptism—on Sept. 18, 2001 (one week after the terrorist attacks and the day the Nimda worm hit)—it hasn’t much improved.

However, what’s crystal clear is that confidence in security correlates to better security. In other words, enterprises that believe they’re doing better are doing better.

What follows are five selected views of “The State of Information Security 2003.” Each view provides insight into some aspect of this complex new discipline, including an innovative method for benchmarking security spending.

You may not find The Answer here, but you will find data and lots of it. And there’s no question that that’s what you need to start improving your information security.

The Confidence Correlation

Those who are very confident in their security have a stronger security infrastructure in place, and they spend more on security as a percentage of their IT budget.

What the Numbers Mean

Structure and dedicated resources breed confidence. And confidence, experts say, breeds better security. In a sea of data that fails to reveal relationships between security and best practices, the confidence factor is a welcome sight.

The respondents who describe themselves as very confident in their organizations’ security (24 percent) can be called security leaders. That group has created far more structure around security within the organization than the group that describes itself as less confident. They’ve hired more security executives and given those executives more control over policy, spending and personnel.

Another key point: The more confident a company is in its security, the less likely that security goes through the IT department. Many in the security world believe that IT’s control of information security has been a limiting factor in improving information security.

For example, if the CIO is responsible for both the CRM implementation (which he’s been told to get done for $2 million in one year) and information security (which will add both time and money to the project), which charge will get his attention and which will get short shrift?

Bill Spernow, former director of IT for the Georgia Student Finance Commission, says the first thing he did when he got his job was fight for, and win, independence from the IT department. “If I see an organization where the CISO reports to some IT component, I see a position that’s not working, guaranteed,” says Spernow. “The conflict of interest is just too much to overcome. Having the CISO report to IT, it’s a deathblow.”

To Do:

1. Create structure around information security by hiring a CSO or creating an executive security committee.

2. Remove information security from the purview of the IT department.

The Per Capita Benchmark

Dividing employees by security budget reveals some surprising—and erratic—spending habits. But even here the confidence correlation is clear.

What the Numbers Mean

The per capita security spend—the information security budget divided by the number of employees—provides a benchmark with which a company can compare itself within its own industry and across industries, regardless of company size. It can also show how spending per employee varies geographically. This is a simple but powerful metric.

Impulsively, you might use the spectrum to see if your spending is normal. But while there is an overall average spending level ($964), there’s nothing normalized about a range that goes from as little as $100 per employee to well into the thousands.

Many factors could account for this. In some industries, the consequences of vulnerability are exponentially greater, even if personnel requirements are not. Energy utilities, for example, are exquisitely sensitive to what could happen if their security were to be breached, and the data from 72 energy respondents yielded an average security spend per capita of a little more than $7,000. On the other hand, automobile manufacturers may have less at risk. Their per capita spend came in at $220.

Despite the lack of a norm, the confidence correlation shows up here too, and starkly. The very confident companies spent nearly two and a half times more per capita than those companies that lacked confidence and one and a half times as much as the overall average. (Interestingly, the 6 percent of respondents who said they were unsure how confident they were spent just $585 per capita, even less than the least confident.)

To Do:

1. Try the per capita security expenditure calculation.

2. Compare your per capita expenditure to the average in your industry, and to the very confident and not very confident groups.

Brushfires, Not Conflagrations

Major security breaches are the exception, not the rule. Most security incidents lasted less than a day, cost less than $10,000, and most companies had 10 or fewer of these events in the past year.

What the Numbers Mean

“Terrorists Shut Down Power Grid.” “Hackers Cripple Allied Inc.” Both plausible headlines—or lines from security consultants trying to sell their services. But the survey data shows that information executives are not being confronted by events of that magnitude. They’re dealing instead with lots of brushfires.

The question then becomes: Are the big bang incidents rare because you’ve protected your enterprise well? Are the little hacks common because you haven’t done a good job protecting against them? Or are the big ones rare because they’re hard to pull off and you’re simply lucky to have avoided them, but not lucky enough to have avoided the easier-to-execute smaller incidents?

Howard Schmidt, vice president and CISO of eBay (and former special adviser to the White House for cyberspace security), thinks the prevalence of little bangs everywhere does not suggest that business has done a good job steeling itself against major attacks. Instead, he sees a severe lack of discipline everywhere.

“If anything, the more you take care of the little stuff, the less likely someone will be able to pull off a big attack,” says Schmidt. “I see it all the time. Companies are always pushing, ’Let’s just open this one little port.’ Then next thing you know, they want another port and another. And that leads to all these vulnerabilities that turn into little brushfires. No one draws the line and says no. Instead of creating a culture of security, we’re often creating a culture of getting around security.”

The encouraging message buried in Schmidt’s commentary is that in order to mitigate the problem, little if any additional technology, spending or other resources are really required. All that’s required is some discipline—someone to draw the line and say no.

The other matter to deal with here is the high percentage of respondents (40 percent) who indicated that they were unsure of their losses. This probably can be attributed to the fact that security is still a young discipline. If it wasn’t money that was lost, respondents simply don’t know how to calculate the cost of losing intellectual property, or some part of a company’s reputation, or even downtime.

So they don’t try. This is a function of information security’s immaturity, a trait that will reappear in the next cut of data. If companies can’t calculate the cost of a breach, it’s highly unlikely that they’re even trying to create a formula for figuring security ROI.

To Do:

1. Refocus a security program so that it takes into account the smaller, more frequent threats as well as “the sky is falling” threats.

2. Assign a disciplinarian, and vigilantly enforce security rules.

Still Reactive After All These Fears

Despite experts preaching about risk management and treating security proactively, security is still largely justified by fear and government regulation.

What the Numbers Mean

No matter how much evangelizing experts do about making security a contributor to the bottom line and measuring its ROI, it’s still easier to rely on scare tactics to justify security investments.

The numbers indicate how counterproductive that is. For example, the low percentage of respondents who take into consideration the security requirements of their partners and vendors means that they aren’t thinking about security as an external networking problem. Their thinking still focuses on “How will a hacker attack me?” and not “How will any given hack attack reach me?” Also, companies aren’t demanding that their partners and vendors meet given security levels, which would make interaction safer.

Covenant Health is a perfect example. Covenant Health wasn’t attacked, but the Slammer worm still infected the five-hospital network in Knoxville, Tenn. It slithered through a port left open to a Covenant service provider. That provider was also infected but not attacked; the worm had infected the service provider through a port left open to one of its partners.

To spin an old caveat: When you connect your network with a partner, you’re also connecting to your partner’s partners. Yet only 22 percent of respondents demand that partners practice safe business.

Covenant Health Senior Vice President and CIO Frank Clark learned the hard way. He now demands partners meet certain security requirements that he defines before they’re allowed to link to his network. “We now make them specify exactly what they want access to and what ports they need,” he says. “What we’re finding is they themselves have a hard time knowing what they need access to.” Clark hopes the corrective action causes a domino effect—that by requiring his partners to meet higher security standards, his partners will require their partners to do the same, and so forth.

To Do:

1. Pursue metrics and business justifications for security. Try to wean yourself away from using fear to justify security investments.

2. Set security requirements for anyone connecting to your network, and insist that partners and vendors meet those requirements.

No Correlations and Odd Correlations

It is difficult to find a relationship between good security and spending. And sometimes there’s even an inverse relationship.

Surprising:

The difference in spending between those companies that have

n 0-50+ incidents

n 0-10 days of downtime and

n $0-$500,000 damages in the last 12 months

never varies more than 1.06 percent.

Weird:

Companies that suffered more than a half million in security-related damages were more than twice as likely to say they were cutting their security spending as those who suffered no damages. Those who had more than 50 incidents and those who had more than 10 days of incident-related downtime were also more likely to decrease spending than those who reported no incidents and no downtime.

What the Numbers Mean

Since company size (and therefore budgets) varies so widely across the survey’s more than 7,500 respondents, the relative measure of security spending as a percentage of the overall IT budget provides a better comparative measure than the total spent on security.

The puny single percentage point between the highest spenders and lowest spenders shows that those suffering fewer security incidents didn’t necessarily spend more to stay secure. Or, conversely, those that were hardest hit didn’t spend any less than those untouched.

So you can’t accuse the companies that suffered breaches of not spending enough. But perhaps they didn’t spend well. The hardest question for IT security officers to answer clearly isn’t, “How much should we spend?” but rather, “Where and how should we spend?”

The answer: Probably not on technology.

Security expert Bruce Schneier of Counterpane Internet Security, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World, believes that technology has been hamstrung in its ability to protect companies because it hasn’t been matched by security awareness.

“Most of the time security problems are inherently people problems, and technologies don’t help much,” says Schneier. “Photo IDs are a great example. Technologists want to add this and that technology to make IDs harder to forge, but I worry about people bribing issuing officials and getting real IDs in fake names. [At least two of the 9/11 terrorists did that.] Technology that makes the IDs harder to forge doesn’t solve that problem.”

Then there’s the problem of companies not using the technology they have to its full potential.

Seven out of 10 survey respondents used intrusion detection systems, eight of 10 used firewalls, and nine of 10 used antivirus software. But only 50 percent of events were detected through those technologies or through security service providers managing those technologies for a company. The other half were detected the harder way—by customers, colleagues or the news media alerting the company to a breach, or worse yet, to damages the event caused.

Companies have deployed so much technology, and have generated so much data in the form of log files, that they often have given up trying to interpret the data. The haystack’s grown too big to look for needles in it, says Andrew Toner, partner in PricewaterhouseCoopers’ security practice. “When they give up,” he says, “that’s when breaches happen.”

Giving up is one way to explain the tendency of companies that were hardest hit by hacks to cut their security budgets. Maybe these companies were hard hit by something else—the economy—and are cutting budgets across the board.

But it’s just as likely that they’ve decided that the money they did spend was not spent well. Why? Information security has not, for the most part, adopted risk management as a philosophy. It’s still treated binarily: Either we’re safe or we’re not. Either the money we spent worked or it didn’t.

“People think in terms of threats, not in terms of risk,” says T. Sean McCreary, a risk management specialist at The Motorists Insurance Group who previously served as a security manager and safety manager at two prisons. “Risk management allows you to assemble threats into some order or importance so the available funds can be used most effectively to prevent and prepare for the identified risks.”

So why haven’t information security professionals adopted a risk management approach? “Because it’s harder,” McCreary says. “It takes more time and effort and, of course, more knowledge.”

To Do:

1. Spend for education and risk management training instead of technology.

2. Take better advantage of the technology you have by analyzing the data it generates, not simply viewing the technology as a tool to block attacks.

Why No One Hits .400 Anymore

The late evolutionary naturalist Stephen Jay Gould contended that complex systems (like nature or information security) evolve from wild variation in their youth to relative uniformity in maturity while maintaining an overall constant average in both.

To make his point, Gould, as was his wont, used baseball. In Full House: The Spread of Excellence from Plato to Darwin, he noted that throughout the history of the game the aggregate batting average of major league hitters has remained constant at about .260 but that there used to be a much higher incidence of .400 hitters than there is now. In fact, the .400 hitter could be said to be extinct. Ted Williams was the last player to hit over .400, and that was in 1941. Previously, Ty Cobb and Rogers Hornsby each did it three times.

How come no one hits .400 anymore, despite the fact that hitters are stronger, use better equipment and have access to advanced training technologies like video? The reason, Gould asserted, is because everything has improved around them, notably pitching and fielding. When baseball was young, no one knew the optimum way to pitch to a batter, or the best strategy for positioning fielders, or even what degree of success or failure was of professional caliber. But, over time, data has been assembled and analyzed, and best practices have emerged. Everyone gets so good at what they do, Gould asserted, that it becomes more difficult either to fail or to excel.

Information security in 2003 is where baseball was in 1922, a year in which three players hit over .400, many hit in the high .300s, and still more hit in the .100s.

Today, there’s wild variation in how well companies secure their enterprises. But over time, Gould would argue, data will accrete, best practices will emerge, information security will normalize, and everyone will move toward the mean.

Until then, however, some companies are Ty Cobb, and many, many others can’t bat their weight.