Survey Shows Yearly Security Spending Up But Data No Safer

Jul 22, 2008 4:04 PM

The 2008 Strategic Security Study from InformationWeek polled nearly 1,100 IT and business professionals about plans and priorities for securing their companies' assets. It found that getting the money for security isn't the biggest problem since fully 95 percent will see their budgets either hold steady or increase this year. The problem is that the money isn't making data safer. Sixty-six percent of respondents say their vulnerability to breaches and malicious code attacks is either the same as last year or worse.

InformationWeek reports that the problem goes back to how IT lags well behind other disciplines in adopting systematic risk management processes. But those technology professionals who have made the leap into classifying IT assets, assigning values, evaluating threats, then determining where and how to mitigate risk find the process to be extremely valuable.

The study found that risk management can focus companies on the most important threats, finding that roughly half of respondents whose organizations have risk management plans in place specify security features at the time of application design. Of those without risk management plans, just 22 percent focus on code security.

Twenty-one percent of companies never conduct security risk assessments, and of those that do, just one in five imposes the rigor of using a specialized external auditor. This despite 63 percent contending with government or industry regulations related to data security, many of which don't give adequate guidance on how to comply. Best practices are the best defense in such gray areas.

Companies also are behind in implementing encryption to protect customer and employee data. The study found that the only actions to safeguard customer data that are used by more than half of companies are informing employees of standards and putting a privacy policy on the Web site. According to InformationWeek, this still excludes the need for encryption (used by 34 percent) or privacy policy audits (25 percent).

Financial reasons are not to blame, because for nearly 30 percent of respondents, security accounts for at least 11 percent of the total IT budget. Viruses, phishing attacks and worms are where a lot of the money goes to, however, and speculation that these product categories would fade away, or at least be assimilated into other technologies, is premature as 13 percent say their vulnerability to breaches and malicious code is even worse than last year.

The survey found that complexity is the biggest security challenge, because inevitably, more data ends up on the network, more agents run on company computers and employees expect some control over the PCs they use. As travel and energy costs skyrocket, companies are increasing the use of branch offices and teleworkers, a trend that spreads data far and wide as people expect to work securely from customer sites, home or the coffee shop down the street.

Complexity also stems from juggling multiple compliance requirements, training and educating staff and users in security awareness, and coping with increasing technical sophistication of networks.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Getting Management On Board
• The More Things Change
• Be Aware Of Emerging Issues
• Verifying Drivers
• More from June's issue