By Ted Kemp, Secure Enterprise
Dec. 5, 2005
Resourceful I.T. security professionals are getting the job done, but
their efforts have been hampered by undersized staffs and underfunded
budgets that limit choices ranging from what products they buy to the
vendors they work with.
The third annual Strategic Deployment Survey conducted by Secure
Enterprise, an InformationWeek sister publication, polled more than
1,500 IT-security pros about their companies' security and their
tactics for dealing with challenges. Follow-up interviews provided
even more details on the state of IT security.
Shortfalls in security staffing and budgets aren't new, of course. But
what makes the situation more nerve-racking are the regulatory risks
and compliance requirements that fall to the IT security department,
adding cost and work at a time when budgets are growing only
moderately, if at all. Case in point: One multibank holding company
with 500 employees and assets of almost $2 billion recently
implemented monitoring, encryption, and intrusion-prevention
technologies to assist its adherence to the Sarbanes-Oxley Act, the
Gramm-Leach-Bliley Act, the Bank Secrecy Act, and the Health Insurance
Portability and Accountability Act. But the company's chief
information security officer, who asked to remain unidentified, still
has a bleak security outlook.
"Our staffing levels are inadequate and have an impact on our ability
to maintain systems in accordance with our policies and standards," he
says. "This problem won't improve. Hopefully, we can do more
automation and less hands-on administration and monitoring."
He's not alone in his pessimism. The survey shows IT security staffing
almost unchanged from last year--and, in a word, deficient. Forty-four
percent of this year's respondents describe their security groups as
moderately understaffed, with 21% saying they're severely
understaffed. Last year, those numbers were 45% and 20%, respectively.
"I've yet to meet anyone who has all the staff and money they need,"
says Peter Clissold, information security manager at the Edmonton
Police Service, one of Canada's largest law-enforcement agencies. The
agency lacks well-segregated IT security roles and doesn't have the
staff to carry out demonstrable audit or review exercises, Clissold
says. However, he adds, the organization has identified its security
gaps and has managed to get support from executives to address those
Managing expectations is important for handling staffing inadequacies,
Clissold says. It's vital to define what should be expected from IT
security groups--and what they expect from management--to deliver an
expected level of service. Security managers must know their business
and be innovative and resourceful. "We must be skilled communicators
and negotiators with those in senior positions," he says.
Being resourceful often means having users take more responsibility
for security measures, says Justin Bell, a security specialist at a
Wisconsin engineering consulting firm. Bell's IT staff sends out a
monthly security newsletter and E-mail messages that get users to
perform tasks that IT might normally handle. For example, during a
recent switch from static IP addresses to the Dynamic Host
Configuration Protocol, Bell's group took advantage of users' efforts
and cut its workload to 30 machines from 360.
Linked to frustration about understaffing is concern that not enough
IT dollars are earmarked for security. And sometimes, IT-security
managers say, that translates directly to greater organizational
The survey shows shrinking numbers at both the high and low ends of IT
security budgets. Significantly, only 16% of this year's respondents
say less than 1% of their IT budget is spent on security, down from
19% who made the same claim last year. However, the portion of readers
who put their security budgets at 16% or more of their IT spending
shrank as well, down to 7% this year from 9% last year.
"Budgets are increasing, but they're still a sliver of the overall
budget," says Kelly Hansen, CEO of information-security consulting
firm Neohapsis and a columnist for Secure Enterprise.
Around 38% of respondents say 1% to 5% of their IT dollars go to
security. But the majority of security professionals aren't satisfied
with their budgets--to the point of sometimes feeling helpless.
For Jody Simmonds, IT security architect at the Washington state
Department of Health, part of the problem is that her security office
doesn't have its own budget. Instead, security must draw money from
the agency's network-services budget. "Security should have its own
budget," she says. "We're at the mercy of another section, and they
may have different priorities."
Although Neohapsis' Hansen sees security budgets increasing somewhat,
she acknowledges the compliance onus that has fallen on security
managers. Moreover, she says, vulnerabilities unrelated to compliance
are increasing. External attackers, for instance, "used to be
15-year-old kids but are now sometimes linked to organized crime."
Several diverse factors influence how security managers spend the
money they have based on a diverse set of drivers. The top five
drivers in this year's survey were improved business practices,
auditing regulations, industry standards, security breaches from
external sources, and legislative regulations.
Despite staffing and budgetary shortfalls, IT security managers
continue to implement new security procedures and dedicate staff
specifically to security. Twenty-nine percent of respondents, up 1%
from last year, describe their IT security structure as a formal
dedicated team. The portion of organizations that use individuals
within IT to carry out security as only a secondary part of their jobs
fell to 35%, down from 40% last year.
Other organizations are building an overall "culture of security."
Even when a dedicated security staff exists, the job often involves
educating IT and non-IT staff about security risks and needs.
"Everyone plays a role in security, and security is everyone's
responsibility," says Kim Milford, information security officer at the
University of Rochester. Training and awareness are critical aspects
of the school's security program. Part of the university's IT security
staff's work is helping employees understand their roles and
responsibilities, providing guidance on risk assessment, and
Complex But Secure
Sometimes security managers find themselves working within complex
security structures, answering to various supervisors and drawing on
myriad sources of assistance. That's the situation for Tim Donahue,
security manager for the U.S. Army's Distributed Learning System,
which conducts online training for soldiers.
"Our structure is complex, but it's complex in that the Army places
extraordinary emphasis on information security," says Donahue, who is
the sole person dedicated to security within the learning system. A
contracting firm runs the enterprise-management center, however, and
lends its own security engineer. Various entities in the Department of
the Army handle information security, and Donahue can reach out to
them as necessary on issues from troubleshooting to compliance
Survey results also show a growing commitment to put higher-level
people in charge of security. Last year, only 12% of survey
respondents reported that their organizations had a chief security
officer. This year, that number rose to 18%. Similarly, only 12% of
last year's respondents said they had a chief information security
officer; this year, that figure climbed to 22%.
One pronounced shift from last year: the importance of compliance
issues for assessing risk before information-security purchases.
Regulatory compliance and noncompliance issues ranked fifth among
methods for assessing risk in 2004, with just less than half of
respondents saying they look at compliance before making security
purchases. This year, compliance ranked first at more than 60%,
leapfrogging input from peers, internal audits, informal risk
analyses, and penetration as a method for gauging risk.
Neohapsis' Hansen isn't surprised that compliance hit the top spot as
a risk-assessment driver. Rather, she's perplexed it took this long.
"There's a general lack of awareness among IT security professionals
about what role they're going to play in compliance," she says.
Part of the problem is that IT security pros still haven't learned how
to "talk the talk" of compliance, Hansen says. Once they do, they'll
find they have a bigger voice when it comes to getting budget outlays
and the support they need to do their jobs. IT gets more clout when
it's the company arm delivering adherence to regulations for which
executives are sometimes held personally responsible.
"The emergence of HIPAA and other laws that regulate security and
privacy also has helped to move information security from a technical
control to a business control," says the University of Rochester's
Milford. "Prior to HIPAA, info security was considered a binary
switch: 'Just make it secure.' But now it has become part of the risk
assessment an organization must go through to determine how best to
The Sarbanes-Oxley Act leads the way when it comes to regulations with
which organizations must comply. About 42% of readers say they have to
adhere to Sarbanes-Oxley, followed by HIPAA at 38%; the Federal
Privacy Act of 1974 at 35%; and the USA Patriot Act at 26%.
It's not surprising that, strapped as they are for resources and time,
security professionals want products and suppliers that let them do
their jobs with minimal hassle.
Integration with existing networks is the capability survey
respondents say they most look for in a product. Tools that don't work
well within an existing architecture can be worse than
ineffective--they can create new risks.
The next-most-sought-after features were performance, second; and high
When it comes to choosing a vendor, reliability is again key. The most
highly desired quality in a vendor is responsiveness to product
security problems, followed by reputation.
Readers rank E-mail-borne viruses and worms as carrying the highest
risk among the threats listed in this year's survey, followed by
unknown vulnerabilities in commercial products and Web and custom
applications. Hansen is surprised that E-mail viruses and worms rank
so high. Most antivirus software does a good job, she says, though
browser-based attacks present a major and growing problem.
Respondents rank internal attacks as a relatively low threat, despite
the plethora of research that shows that internal attacks, or those
committed by employees, are a major threat. Last year's poll showed
similar results, with external attacks being ranked riskier than
internal ones by a wide margin.
While internal threats may in fact be a greater risk than external
threats, Donahue says that's only because the organization has managed
to eliminate or mitigate serious external threats.
"We've spent so much time and effort on containing external risk that
we have brought it down to the point that it's become more likely that
we'll be exposed to an internal risk," he says. There's a level of
trust that's part of the IT-employee relationship, he says, and if
background checks come back clean, Donahue has done his due diligence
and it's reasonable for him to assume the best from his staff.
There's more than that at work in security managers' thinking, Hansen
says. Quite often, it's the external breaches, not the internal ones,
that get IT security professionals fired. Other times, IT security
staff might not even be made aware of how serious internal threats can
be. Also, security managers sometimes tend to see internal threats as
more of a human-resources problem than an IT one.
Among the technologies deployed by readers, antivirus ranks highest on
the perimeter, on internal networks, on desktops, and for messaging
security. Antivirus software and similarly older, more-robust
applications are common within organizations because they're
"low-hanging fruit," Hansen says. Moreover, they present good metrics
that can be shown to higher management. "Those are the kinds of things
that allow you to say, 'Hey, I'm providing value to the organization,'
" she says.
And to a large extent, being able to show value is the name of the
game for IT security managers who are struggling to meet intensifying
threats and surging compliance requirements with inadequate staff and
budgets. Still, most IT security experts continue to find workarounds
and fixes to handle their security needs, despite the lack of support
they sometimes receive from executive management.
How The Survey Was Conducted
Secure Enterprise posted its third annual deployment survey on the Web
from Aug. 3 to Aug. 17. It also provided links to the poll on
networkcomputing.com, secureenterprisemag.com, and in newsletters and
the print magazine. E-mail messages also were sent with an embedded
link to the poll to subscribers of Secure Enterprise, Network
Computing, and IT Architect (formerly Network Magazine), and members
of the Computer Security Institute. The survey received 1,522 valid
responses from IT security administrators, managers, midlevel
executives, and corporate execs. Approximately 20% were chief security
officers, chief information security officers, or senior security
managers. Roughly 22% were executive managers; the rest were
Download: More Reader Survey Results
Third Annual Strategic Deployment Survey Results
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.