Best Practices: The 2004 Global Information Security Survey

By Scott Berinato

Page 3

n Conduct a penetration test to patch up network and application security. (The Best Practices Group was 60 percent more likely to do this than the average respondent.)

n Perform a complete security audit to identify threats to employees and intellectual property. (The Best Practices Group did this far more often than the average respondent.)

n Create a comprehensive risk assessment process to classify and prioritize threats and vulnerabilities. (The Best Practices Group was 50 percent more likely to do this.)

n Define your overall security architecture and plan from the previous three steps. (Two-thirds of the Best Practices Group did this as opposed to only half of the respondents overall.)

4. Establish a quarterly review process, with metrics (for example, employee compliance rates) to measure your security's effectiveness. This will help you to use your increased resources more efficiently.

And eventually, you'll get locked into that virtuous cycle.

II. Damage Report

The number of incidents was up and security spending was flat. Yet, damages to the enterprise were down. That leads to a remarkably sunny conclusion: We're getting better at managing security incidents. (See "Incidents Up, Damages Down," Page 35)

Behind the Numbers

Nothing in last year's survey results indicated that the virus problem would ebb. The number of viruses big enough to make the newsincluding nasties like the Sasser wormwas constant. Critical patches for your software came in predictable, frequent waves. And the time between the announcement of a vulnerability and the attack that exploited it was shrinking from several months to, in the case of Sasser, 18 days.

That's why it's so surprising and heartening to report that while the bad stuff keeps coming, one-third of respondents who were hit by security breaches reported zero downtime, and one-third also reported zero financial damages. Overall, both downtime and damages were lower this year than last. (The slight uptick in the percentage of respondents who couldn't quantify damages bears monitoring.)

Last year, we characterized the breach problem as more of a nuisance (albeit an expensive and unpleasant one) than a radical threat to the stability of businesses. It was a nasty flu, not a terminal disease.

This year's data indicates that information security executives are learning to treat their colds and remembering that an ounce of prevention is worth a pound of cure.

What We Think

The Boy Scouts were right. Be prepared. The survey reveals two security practices that we believe explain the improved management of incidents.

First, disaster recovery and incident planning. Fifty-four percent of our respondents designed or improved their existing disaster recovery and business continuity plans in 2004. Thirty-eight percent of respondents this year defined a crisis or incident response strategy, and that percentage rose with company size. Among the biggest companies (revenue of $25 billion or more), 68 percent defined a crisis or incident response strategy.