The Global State of Information Security 2003

From a worldwide study conducted by PricewaterhouseCoopers and CIO magazine, we look at where infosec is in 2003 and where it's going.

1 2 Page 2
Page 2 of 2

But the encouraging message buried in Schmidt's commentary is that, to mitigate the problem, little if any additional technology, spending or other resources are really required. All that's required is some disciplinesomeone to draw the line and say no.To-Dos1. Refocus a security program so that it takes into account the smaller, more frequent threats as well as "the sky is falling" threats.

2. Assign a disciplinarian, and vigilantly enforce security rules without exception or variance.

Still Reactive After All These Fears

Despite experts preaching about risk management and treating security proactively, security is still largely justified by fear and government regulation.What the Numbers MeanIn and of themselves, these numbers won't surprise anyone, and the cynics among us will sniff knowingly. No matter how much preaching we do about making security a contributor to the bottom line, and measuring its return, the discipline is largely too young and unscientific for that. There are some primitive formulas, but none has been widely accepted. It's still easier to rely on scare tactics to justify security investments.

This shouldn't be considered an endorsement of that strategy. According to security experts, CISOs and CSOs should seek any objective calculation of the value of security.

But the numbers do carry some nuances. For example, the low percentage of respondents who take into consideration the security requirements of their partners and vendors suggest that they aren't thinking about security as an external networking problem. Their thinking still focuses on "How will a hacker attack me?" instead of "How will any given hack attack reach me?" Also, partners and vendors aren't demanding of each other that they, in turn, meet certain security levels, which would make interaction safer.

Covenant Health is a perfect example. Covenant Health wasn't attacked, but the Slammer worm still infected the five-hospital network in Knoxville, Tenn. It slithered through a port unknowingly left open to a Covenant service provider. That provider was also infected but not attacked; the worm had infected the service provider through a port left open to one of its partners.

To spin an old caveat: When you connect your network with a partner, you're also connecting to your partner's partners. Yet only 22 percent of the respondents were required by their partners to practice safe business. That seems like the easiest thing in the world to do. Just askno, demandthat partners do their part. The fact that so few companies demand it suggests a paralysis of hypocrisy: How can any one company demand that others be safe if it can't, for sure, guarantee that it won't infect its partners. It will take more and more in that vigilant minority who do demand safe business to tip the scales in favor of security over promiscuity.

Covenant Health's former CIO Frank Clark became a part of that vigilant minority after learning the hard way. He demanded partners meet certain security requirements before allowing them to link up to his network. "We made them specify exactly what they wanted access to," he says. "But they, themselves, had a hard time knowing what they wanted access to." By requiring partners to meet higher security standards, he says, they'll require their partners to do the same.TO-DOs1. Pursue metrics and business justifications for security, and try to wean yourself from using fear factors to justify security investments.

2. Set baseline security requirements for anyone connecting to your network, and force partners and vendors to meet those requirements.

The Per Capita Benchmark

Dividing employees by security budget yields some surprisingand erraticspending habits. But even here the confidence correlation is clear.What the Numbers MeanThe per capita security spendinformation security budget divided by number of employeesgives you a benchmark with which to compare yourself across industries, regardless of company size. It can also show how spending per employee varies geographically. It's a simple but powerful calculation that will shed some light on a subject that you've been struggling with.

Impulsively, you might use the spectrum to see if your spending is normal. But while there is an overall average spending level ($964), there's nothing "normal" about the range of spending, from as little as $100 per employee to well into the thousands of dollars.

Many factors could account for the broad range of spending. In some industries, the stakes are exponentially higher, even if the personnel requirements are not. An energy utility is a good example, where 72 respondents yielded an average security spend per capita of more than $7,000.

Despite the lack of normalcy, the confidence correlation shows up here too. The confident companies spent nearly two and a half times more per capita than those that lacked confidence, and one and a half times as much as the overall average. (Interestingly, the 6 percent who were unsure of how confident they were spent just $585 per capita, even less than the least confident group).

North American businesses also spent significantly more ($1,200 per capita) than companies in the rest of the world (about $800). That didn't make them any safer, per se. Some argue it proves North American companies are less efficient with their security spending.

In the strangest twist of all, companies that suffered no damages last year spent $684 per capita, less than the average for companies that had suffered damages. Companies with more than a half million in damages spent nearly $1,500 per head. The calculation may be primitive, but security executives are clamoring for any objective numbers they can get their hands on. At the very least, it's a ballpark in which to play.To-Dos1. Try the per capita security expenditure calculation in your enterprise.

2. Compare your per capita expenditure to the average in your industry, the very confident and not very confident groups, and the overall average of $964.Why No One Hits .400 AnymoreThe late naturalist Stephen Jay Gould contended that complex systems evolve from wild variation in their youth to relative uniformity in maturity, all the while maintaining an overall constant average in both. To make his point, Gould used baseball. In Full House: The Spread of Excellence from Plato to Darwin, he noted that, throughout the history of the game, the aggregate batting average of major-league hitters has remained constant at about .260, but that there used to be a much higher incidence of .400 hitters than now. Ted Williams was the last player to hit over .400. Prior to that, Ty Cobb and Rogers Hornsby did it three times each.

But no one hits .400 anymore, despite the fact that hitters use better equipment and have access to advanced training technologies. The reason, Gould asserted, is because everything, notably pitching and fielding, has improved around them. When baseball was young, no one knew the best way to pitch or the best strategy for positioning fielders. Over time, data has been analyzed and best practices have emerged. Everyone gets so good at what they do, Gould asserted, that there is less room for deviation from the norm. Indeed, batting averages increasingly vary less and less from the century-old average of .260.

Information security in 2003 is where baseball was in 1922. There's wild variation in how well companies secure their enterprises. But data will accrete, best practices will emerge, information security will normalize, and everyone will move toward the mean.

Until then, however, some companies are Ty Cobb, and many, many others can't bat their weight.

Copyright © 2003 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline