Research

The Global State of Information Security 2008

Our annual survey finds respondents throwing technology at the problem. Which is a beginning, but only a beginning.

By Kim Nash

Page 2

As a result, security is still largely reactive, not proactive. More-sophisticated organizations will funnel data from network logs and other monitoring tools into business-intelligence systems to predict and stop security breaches. So along with encryption fanatics and identity management experts, an infosec team needs statisticians and risk analysts to stay ahead of trouble and keep the company name off police blotters.

Still, while our survey illuminates continuing problems, in discovering the problems, we also see a path to safer data for companies that, yes, apply technology but also develop processes and make them part of everyone's everyday work. So it's not all grim. What we have to do now is examine our failings, then act.

The Big Picture: Technology Reigns

Money really is power, isn't it? When asked to indicate any sources of funding for information security, 57 percent of survey respondents named the IT group and 60 percent cited functional areas such as marketing, human resources and legal as major providers. Just 24 percent indicated a dedicated security department budget.

With the IT group a strong force, technology becomes the answer to many security questions. To someone with a hammer, everything looks like a nail, according to the old saw. Divert potential phishing attacks with spam filters. Stymie laptop thieves by encrypting corporate data.

If there's a security tool out there, our survey pool uses it.

Companies have realized they must do a better job disposing of outdated computer hardware, for example, wiping disks of data and applications. Sixty-five percent of respondents now have tools to do that, up from 58 percent last year. More organizations than ever are encrypting databases (55 percent), laptops (50 percent), backup tapes (47 percent) and other media. Use of intrusion-detection software also is up: 63 percent this year compared with 59 percent last year. And installing firewalls to protect individual applications, not just servers and networks, increased to 67 percent from last year's 62 percent.

That's good stuff.

Despite these technology-oriented gains, though, disturbing trends continue in the areas of security processes and personnel—some negate any protection an IT budget can buy. For example, encrypting sensitive data makes good sense, but such technology can't stop an employee from flouting policies concerning how that data should be handled.

If the goal is to secure information, to make it truly safe, you'd better develop processes and procedures for putting your nails in the right place before whacking anything with a technology hammer. Technology must be part of a larger plan to secure information, says Dennis Devlin, chief information security officer at Brandeis University. Devlin reports to Brandeis's vice president and provost for libraries and information technology.