Best Practices: The 2004 Global Information Security Survey

By Scott Berinato

Page 4

Second, a strong focus on end user education. More than half of all respondents cited it as one of their practices.

When information security teams are prepared for incidentsand when end users know how to behavedamage will be minimized.

III. Missed Goals, Missed Opportunities

Last year, our respondents named the following as their strategic security goals for 2004. This year's survey indicates that those goals were often not met.

Behind the Numbers

Call this the priority gap. What you identified last year as a priority and what you actually did about it fails to sync up. It's not even close. Out of 30 security priorities (the top 17 are listed in "Missing the Mark," right) named in operations and technology in 2003, execution fell short of ambition in 28 instances. More disturbing is the fact that the only two priorities from the 2003 survey that were implemented to a greater degree than planned involved firewalls.

Security professionals turn to firewalls when they want their nonsecurity-savvy bosses to feel secure. Deploying firewalls makes it look like the security team is doing something. This is important in a discipline where, when things are going well, nothing happens.

"Deploying a firewall is actionable," says Javed Ikbal, CISO of Omgeo, a financial services company. "Also, it's easier to define and secure the perimeter than to deal with more complex threats like social engineering."

In order to be effective, firewalls and other log-based security (such as intrusion detection) require highly refined operational procedures (such as audits and monitoring)the kind of thing that was rarely implemented this year.

The survey does not reveal why you may not have gotten to last year's priorities. Time didn't seem to present a problem. In 2003, nearly half of all respondents listed "limited or no time to focus on security" as a "barrier to good security." But in 2004, that dropped to just one-third. What's more: Most other obstacles, including insufficient security awareness and the lack of upper management buy-in, also dropped significantly.

It could have been a human resources issue. Understaffing (at 44 percent) rose to the second most frequently cited obstacle. The most commonly cited barrier was, as always, money. (Although, that dropped from 64 percent of respondents citing it in 2003 to 57 percent this year.)

Ikbal sees a series of factors contributing to the priority gap: "These tasks are unpleasant, and people will put them off if they can. They're afraid to know what they'll find out. [Then] they do find out, but they don't have the resources to fix what they found is broken."