What do information security professionals consider the biggest threat to their systems and businesses? According to interviews conducted as part of a recent study commissioned by Unisys Corporation, the security issue most responsible for disrupting the sleep of top security executives is employee negligence or abuse of data warehouses or systems (97 per cent). Insufficient resources to get the job done right (90 per cent) is a close second.
About 80 per cent of respondents felt that outsourcing IT and data management activities in order to reduce costs created additional information security risks that were not being managed adequately.
Surprisingly, fewer (70 per cent of respondents) indicated that a catastrophic attack on IT infrastructure, including sophisticated viruses and expert hacker penetration was of most concern.
Table 1: Security Issues of Most Concern
Employee negligence or abuse 97% Insufficient resources to get job done right 90% Proliferation of outsourced IT and data management 80% Open patches and holes in application software 73% Catastrophic attack on IT infrastructure 70%
Due to the lack of corporate resources, about 73 per cent of participants in the study felt that they did not have the staff to administer known security holes or patches to existing software systems. Table 1 provides a ranking of the top five concerns of today's security professionals.
"One of the most salient findings is that IT professionals must manage complex privacy and data protection issues with tighter budgets and fewer resources," says Janice Burg-Levi, Global Strategic Marketing VP for Unisys.
Unisys conducted in-depth interviews with 34 information security professionals who have the most direct responsibility for information technology security services and planning in their organisations. The largest companies in financial, public, transportation and general commercial industries are represented in the study. Interviews were conducted between December 2002 and February 2003.
Measures to Manage Risk
Table 2 summarises the five most frequently cited measures taken over the past 12 months to improve the information security function or to reduce data protection risk. Because employee negligence or abuse was by far the greatest concern, the vast majority of experts have implemented or revised security policies and standard operating procedures. In fact, a large group of respondents have implemented information security training programs for key personnel — i.e., those who handle, use or secure confidential, sensitive or private information. Along these lines, some companies viewed certification programs such as the CISSP, as a major goal for providing education for security professionals.
Many of the information security professionals interviewed (67 per cent) have conducted company-wide vulnerability assessments to identify gap areas and, possibly, to set priorities for managing risk. Such tests often included deliberate penetration tests to determine efficiency and effectiveness of perimeter controls such as firewalls, intrusion detection systems and VPN secure channels.
Table 2: How Companies Are Managing Risk
Revised security policies and procedures (SOPs) 93% Training program for key personnel 83% Conducted vulnerability and penetration assessments 67% Improved access and authentication controls 57% Appointment of high level information security officer 53%
More than 57 per cent of respondents indicated that identity management activities, including access controls and authentication, as a major area of improvement over the past year. Another 53 per cent of individuals viewed the appointment of a high level officer, often called the chief information security officer or CISO, as a major improvement in the company's security infrastructure.
Greater Risks but Tighter Budgets
The interviews revealed frustration with the lack of funds for preventative security measures. In fact, some commented that the lack of resources is causing them to make tough allocation decisions that may leave the company's critical infrastructure vulnerable.
While budgets reported for security and privacy vary widely (from $US500,000 to $US25,000,000), the largest budgets are granted to those security professionals in such regulated industries as banking and pharma/healthcare.
Some of the greatest strains to the budget include hiring and keeping the most talented staff, conducting training and awareness programs for key personnel, keeping up with the plethora of new tools that might enhance security controls, and implementing systems that help manage customer or employee preferences for privacy.
Best Practices Based on Real World Experience
During the interviews, the security professionals shared what they believed to be good information security practices that complex business organisations should implement or maintain. These best practices include the following:
—Integrate information security management with other corporate compliance initiatives. It is important to combine key functions or activities with the company's privacy, corporate compliance and internal audit initiatives.
—The CISO should report directly to senior management with periodic update reports to the CEO or Board. Information security must be owned by a member of senior management (such as the CIO or CFO) in order to get enough budget authority to get their job done "right".
—Introduce enabling technologies that help prevent common threats to data security and privacy. While new technologies in perimeter control, connectivity and authentication could be of enormous value in mitigating security risks, many of these products are not being used due to limited time and budgets.
—Empower local information security managers. Because the IT infrastructure in many companies is decentralised, it is important to have employees in various autonomous IT units own responsibility for information security management. Obviously, this will require a dotted line to the company's CISO in order to ensure accountability and control resources.
—Create the best possible training program. As previously noted, internal employee negligence is a major cause for serious security breaches. There is a real need for teaching employees the "dos and don'ts" of information security. Good training also can infuse the company with a culture that promotes personal accountability for safeguarding confidential or sensitive information (including paper files) and IT equipment.
—Conduct vigorous internal monitoring of information security process and controls. Many of the IS professionals interviewed acknowledged the importance of keeping a vigilant eye on the IT and data management infrastructure. They shared very positive experiences that resulted from third-party audits — including the early identification of serious security holes and potential regulatory compliance breaches.
While participants in the study listed numerous challenges to maintaining the security of their systems and complying with new privacy regulations, they also noted that these challenges offered new opportunities for their profession.
They believe senior management is becoming more sensitive to security risks. Further, there is the growing realisation that superior privacy practices can build trust and enhance the organisation's reputation in the marketplace. As a result, security professionals are hopeful that they can turn today's security and privacy threats into tomorrow's business opportunities. -------------------------------------------------------------------------------- Dr. Larry Ponemon is chairman and founder of Tucson-based Ponemon Institute, a think tank dedicated to advancing ethical information and privacy management practices in business and government. He is also a partner with Peppers & Rogers Group, a leading strategic management consulting firm focusing on responsible information management practices.