Zero in on the information security risks facing your company, or you'll likely find yourself overwhelmed. That's the overall message of our 2008 InformationWeek Strategic Security Study, which polled nearly 1,100 IT and business professionals about plans and priorities for securing their companies' assets.
Getting the money for security isn't the biggest problem: Fully 95% will see their budgets either hold steady or increase this year. It's that the money isn't making data safer. Sixty-six percent of respondents say their vulnerability to breaches and malicious code attacks is either the same as last year or worse. Since when is "no worse than before" an acceptable return on investment?
The solution lies in securing to specific threats. The problem is that IT lags well behind other disciplines in adopting systematic risk management processes. But those technology professionals who have made the leap into classifying IT assets, assigning values, evaluating threats, then determining where and how to mitigate risk find the process to be extremely valuable.
In short, risk management principles bring rigor to information security.
Here's one illustration from our security study of how risk management can focus companies on the most important threats: Insecure coding practices are a pox on all our houses. Roughly half of respondents whose organizations have risk management plans in place specify security features at the time of application design. Of those without risk management plans, just 22% focus on code security.
We need the jolt that this security study provides. Twenty-one percent of companies never conduct security risk assessments, and of those that do, just one in five imposes the rigor of using a specialized external auditor. This despite 63% contending with government or industry regulations related to data security, many of which don't give adequate guidance on how to comply. Best practices are the best defense in such gray areas.
We could go on, and we will. But we need to stop for a second and ask, what gives?
WHAT DO WE GET FOR THE MONEY?
There's no blaming the financial powers that be. For nearly 30% of respondents, security accounts for at least 11% of the total IT budget. The bad news: Viruses, phishing attacks, and worms continue to cause headaches, and companies keep pouring money into firewalls and antivirus protection. Speculation that these product categories would fade away, or at least be assimilated into other technologies, is premature, as 13% say their vulnerability to breaches and malicious code is even worse than last year. And they're the only two product categories rated as effective by more than half of respondents.