The Global State of Information Security 2003

From a worldwide study conducted by PricewaterhouseCoopers and CIO magazine, we look at where infosec is in 2003 and where it's going.

By Scott Berinato

Page 6

2. Assign a disciplinarian, and vigilantly enforce security rules without exception or variance.

Still Reactive After All These Fears

Despite experts preaching about risk management and treating security proactively, security is still largely justified by fear and government regulation.What the Numbers MeanIn and of themselves, these numbers won't surprise anyone, and the cynics among us will sniff knowingly. No matter how much preaching we do about making security a contributor to the bottom line, and measuring its return, the discipline is largely too young and unscientific for that. There are some primitive formulas, but none has been widely accepted. It's still easier to rely on scare tactics to justify security investments.

This shouldn't be considered an endorsement of that strategy. According to security experts, CISOs and CSOs should seek any objective calculation of the value of security.

But the numbers do carry some nuances. For example, the low percentage of respondents who take into consideration the security requirements of their partners and vendors suggest that they aren't thinking about security as an external networking problem. Their thinking still focuses on "How will a hacker attack me?" instead of "How will any given hack attack reach me?" Also, partners and vendors aren't demanding of each other that they, in turn, meet certain security levels, which would make interaction safer.

Covenant Health is a perfect example. Covenant Health wasn't attacked, but the Slammer worm still infected the five-hospital network in Knoxville, Tenn. It slithered through a port unknowingly left open to a Covenant service provider. That provider was also infected but not attacked; the worm had infected the service provider through a port left open to one of its partners.

To spin an old caveat: When you connect your network with a partner, you're also connecting to your partner's partners. Yet only 22 percent of the respondents were required by their partners to practice safe business. That seems like the easiest thing in the world to do. Just askno, demandthat partners do their part. The fact that so few companies demand it suggests a paralysis of hypocrisy: How can any one company demand that others be safe if it can't, for sure, guarantee that it won't infect its partners. It will take more and more in that vigilant minority who do demand safe business to tip the scales in favor of security over promiscuity.

Covenant Health's former CIO Frank Clark became a part of that vigilant minority after learning the hard way. He demanded partners meet certain security requirements before allowing them to link up to his network. "We made them specify exactly what they wanted access to," he says. "But they, themselves, had a hard time knowing what they wanted access to." By requiring partners to meet higher security standards, he says, they'll require their partners to do the same.TO-DOs1. Pursue metrics and business justifications for security, and try to wean yourself from using fear factors to justify security investments.