The Global State of Information Security 2003

From a worldwide study conducted by PricewaterhouseCoopers and CIO magazine, we look at where infosec is in 2003 and where it's going.

"Computer security folks are always trying to solve problems with technology, which explains why so many computer solutions fail so miserably," he says. "Most of the time, the security problems are inherently people problems, and technologies don't help much."

Take photo IDs, for instance. Schneier says that technologists want to add this or that to make IDs harder to forge, but what about the people who bribe the issuing officials to get real IDs in fake names? (At least two of the9/11 terrorists did that.) The technology that makes an ID harder to forge doesn't solve that problem.

In addition to the willy-nilly deployment of technology, some companies are also not using the technology to its full potential.

Consider that seven out of 10 survey respondents used intrusion detection systems, eight of 10 used firewalls, and nine of 10 used antivirus software. But only 50 percent of events were detected through those technologies or through security service providers managing those technologies for a company. The other half were detected the hard wayby customers, colleagues or news outlets alerting the company of a breach, or worse yet, by the damages the event caused.

Companies have deployed so much technology, and it has generated so much data in the form of log files, that they have given up trying to interpret the data. The haystack has gotten too big to look for needles in it, says Andrew Toner, partner in PricewaterhouseCoopers' security practice. "When [organizations] give up, that's when breaches are going to happen."

One interpretation for the disturbing trend of budget cuts by companies that were hit hardest by hacks is that they just gave up. Another possible explanation is that these companies are hard hit by something elsethe economyand they are cutting budgets across the board regardless of security breaches.

But it's just as likely that they've decided that the money they had spent was money down the drain. Why? Information security, for whatever reason, hasn't yet adopted risk management as a philosophy. It's still treated binarily: Either you're safe, or you're not. Either the money you spent worked, or it didn't. And that must change.

"People think in terms of threats, not in terms of risk," says T. Sean McCreary, a risk management specialist at The Motorists Insurance Group who previously served as a security manager and safety manager at two prisons. "Risk management allows you to assemble threats into some order or importance so the available funds can be used most effectively to prevent and prepare for the identified risks."